Resource Type: AWS > VPC > Security Group

Resource Context

Security Group is a part of the VPC service.

Each Security Group lives under a VPC.

Controls

The primary controls for AWS > VPC > Security Group are:

• Active
• Allowed
• Approved
• CMDB
• Configured
• Discovery
• Egress Rules
• Ingress Rules
• Intelligent Assessment
• ServiceNow
• Tags
• Usage

It is also targeted by these controls:

• AWS > CIS v1 > 4 Networking > 4.01 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)
• AWS > CIS v1 > 4 Networking > 4.02 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)
• AWS > CIS v1 > 4 Networking > 4.03 Ensure the default security group of every VPC restricts all traffic (Scored)
• AWS > CIS v1.4 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)
• AWS > CIS v1.4 > 5 - Networking > 5.03 - Ensure the default security group of every VPC restricts all traffic (Automated)
• AWS > CIS v2.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v2.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
• AWS > CIS v2.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
• AWS > CIS v3.0 > 5 - Networking > 5.02 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v3.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
• AWS > CIS v3.0 > 5 - Networking > 5.04 - Ensure the default security group of every VPC restricts all traffic
• AWS > CIS v4.0 > 5 - Networking > 5.01 - Elastic Compute Cloud (EC2) > 5.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access
• AWS > CIS v4.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v4.0 > 5 - Networking > 5.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
• AWS > CIS v4.0 > 5 - Networking > 5.05 - Ensure the default security group of every VPC restricts all traffic
• AWS > CIS v5.0 > 5 - Networking > 5.01 - EC2 > 5.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access
• AWS > CIS v5.0 > 5 - Networking > 5.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v5.0 > 5 - Networking > 5.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
• AWS > CIS v5.0 > 5 - Networking > 5.05 - Ensure the default security group of every VPC restricts all traffic
• AWS > CIS v6.0 > 6 - Networking > 6.01 - Elastic Compute Cloud (EC2) > 6.01.02 - Ensure CIFS access is restricted to trusted networks to prevent unauthorized access
• AWS > CIS v6.0 > 6 - Networking > 6.03 - Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports
• AWS > CIS v6.0 > 6 - Networking > 6.04 - Ensure no security groups allow ingress from ::/0 to remote server administration ports
• AWS > CIS v6.0 > 6 - Networking > 6.05 - Ensure the default security group of every VPC restricts all traffic
• AWS > HIPAA > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > HIPAA > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > NIST 800-53 > VPC > VPC default security group should not allow inbound and outbound traffic
• AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
• AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress SSH access from 0.0.0.0/0
• AWS > NIST 800-53 > VPC > VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
• AWS > PCI v3.2.1 > EC2 > 2 VPC default security group should prohibit inbound and outbound traffic
• AWS > PCI v3.2.1 > EC2 > 3 Unused EC2 security groups should be removed
• AWS > PCI v3.2.1 > EC2 > 5 Security groups should not allow ingress from 0.0.0.0/0 to port 22
• AWS > VPC > Security Group Rule > Discovery

Quick Actions

• Delete
• Revoke Unapproved Rules
• Router
• Set Tags
• Skip alarm for Active control
• Skip alarm for Active control [90 days]
• Skip alarm for Approved control
• Skip alarm for Approved control [90 days]
• Skip alarm for Tags control
• Skip alarm for Tags control [90 days]
• Update Tags

Category

• Networking

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/aws-vpc-security#/resource/types/securityGroup

Category URI

tmod:@turbot/turbot#/resource/categories/networking

GraphQL

query resource(id: "tmod:@turbot/aws-vpc-security#/resource/types/securityGroup") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/aws-vpc-security#/resource/types/securityGroup'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/aws-vpc-security#/resource/types/securityGroup"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/aws-vpc-security#/resource/types/securityGroup';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/aws-vpc-security#/resource/types/securityGroup"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/aws-vpc-security#/resource/types/securityGroup' and notification_type in ('resource_updated', 'resource_created');