Resource Type: AWS > VPC > Security Group
The Security Group resource type is part of the Amazon Web Services (AWS) VPC service. Each Security Group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. It allows you to specify the protocols, ports, and source IP ranges that can reach your EC2 instances, ensuring a secure and controlled networking environment.
Resource Context
Security Group is a part of the VPC service.
Each Security Group lives under a VPC.
Controls
The primary controls for AWS > VPC > Security Group are:
It is also targeted by these controls:
- AWS > CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
- AWS > CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
- AWS > CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)
- AWS > CIS v1.4 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
- AWS > CIS v1.4 > 5 - Networking > 5.03 - Ensure the default security group of every VPC restricts all traffic (Automated)
- AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
- AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
- AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
- AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
- AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC default security group should not allow inbound and outbound traffic
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
- AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
- AWS > PCI v3.2.1 > EC2 > 2 VPC default security group should prohibit inbound and outbound traffic
- AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed
- AWS > PCI v3.2.1 > EC2 > 5 Security groups should not allow ingress from 0.0.0.0/0 to port 22
- AWS > VPC > Security Group Rule > Discovery
Quick Actions
- Set Tags
- Skip alarm for Active control
- Skip alarm for Active control [90 days]
- Skip alarm for Approved control
- Skip alarm for Approved control [90 days]
- Skip alarm for Tags control
- Skip alarm for Tags control [90 days]
Category
In Your Workspace
- Controls by Resource Type report
- Policy Settings by Resource Type report
- Resources by Resource Type report
Developers
- tmod:@turbot/aws-vpc-security#/resource/types/securityGroup
- tmod:@turbot/turbot#/resource/categories/networking
- turbot graphql resource --id "tmod:@turbot/aws-vpc-security#/resource/types/securityGroup"
Get Resource- select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/aws-vpc-security#/resource/types/securityGroup';
- select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/aws-vpc-security#/resource/types/securityGroup"';
- select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/aws-vpc-security#/resource/types/securityGroup' and notification_type in ('resource_updated', 'resource_created');
Get ResourceGet Policy Settings (By Resource ID)Get Resource Notification
Resource Type URI
Category URI
GraphQL
CLI
Steampipe Query