Control: AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed

This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.

Unless there is a business need to retain them, you should remove unused resources to maintain an accurate inventory of system components.

Remediation

You must perform the following steps for each security group not attached to an ENI.

1. Open the Amazon VPC console 2. In the navigation pane, under Security, choose Security groups. 3. Select the check box for the security group to delete. 4. From Actions, choose Delete security group. 5. Choose Delete.

PCI requirement(s): 2.4

Resource Types

This control targets the following resource types:

AWS > VPC > Security Group

Policies

This control type relies on these other policies when running actions:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupAssociated

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupAssociated") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupAssociated'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupAssociated"