Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
AWS
Loading policies...

Policy: AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed

This control helps you maintain an accurate asset inventory of needed security groups in your cardholder data environment (CDE). It does so by checking that security groups are attached to Amazon EC2 instances or to an ENI. A failed finding indicates you may have unused Amazon EC2 security groups.

Unless there is a business need to retain them, you should remove unused resources to maintain an accurate inventory of system components.

Remediation

You must perform the following steps for each security group not attached to an ENI.

1. Open the Amazon VPC console 2. In the navigation pane, under Security, choose Security groups. 3. Select the check box for the security group to delete. 4. From Actions, choose Delete security group. 5. Choose Delete.

PCI requirement(s): 2.4

Targets

This policy targets the following resource types:

  • AWS > VPC > Security Group

Primary Policy

This policy is used with the following primary policy:

  • AWS > PCI v3.2.1 > EC2

Controls

Setting this policy configures this control:

  • AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed

Policy Specification

Schema Type
string
Default
Per AWS > PCI v3.2.1
Valid Values [YAML]
  • Per AWS > PCI v3.2.1

  • Skip

  • Check: Benchmark
Examples [YAML]
  • Skip

Category

  • Compliance > PCI

In Your Workspace

  • Policy Settings by Type report

Developers

    Category URI
    • tmod:@turbot/turbot#/control/categories/compliancePci
    • Policy Type URI
    • tmod:@turbot/aws-pciv3-2-1#/policy/types/vpcSecurityGroupAssociated
    • GraphQL
    • query policyType(id: "tmod:@turbot/aws-pciv3-2-1#/policy/types/vpcSecurityGroupAssociated") { … }
    • query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-pciv3-2-1#/policy/types/vpcSecurityGroupAssociated'") { … }
    • query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-pciv3-2-1#/policy/types/vpcSecurityGroupAssociated'") { … }
    • CLI
    • Get Policy Type
    • turbot graphql policy-type --id "tmod:@turbot/aws-pciv3-2-1#/policy/types/vpcSecurityGroupAssociated"
      • Get Policy Settings
    • turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-pciv3-2-1#/policy/types/vpcSecurityGroupAssociated"
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
182
Mods
520
Resource Types
9,010
Policies
3,503
Controls
1,927
Quick Actions
547
IAM