Amazon EC2
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon EC2

      EC2 LaunchWizard Security Groups

      This plugin ensures security groups created by the EC2 launch wizard are not used

      Risk Level: Low

      Description

      This plugin ensures security groups created by the EC2 launch wizard are not used. Usually, the security groups created by EC2 launch wizards are exposed publicly. For best security practices, custom security groups must be created instead of using launch-wizard security groups.

      About the Service

      Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

      Impact

      Security Groups act as a firewall for the EC2 instances to control the incoming and outgoing traffic. There are rules defined under security groups that can allow specific IP addresses to access the EC2 instance with the protocol and the Ports specified.

      In the absence of proper restriction with the inbound rules, resources using launch-wizard security groups can accidentally expose themselves.

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
      3. Move to the Security Group in the Network and Security section from the left navigation pane.
      4. From the list of security groups, check if there exists a security group whose name starts with “launch-wizard”. If it is present, the vulnerability exists.
      5. Repeat steps for all the Security Groups you want to investigate.

      Steps for Remediation

      Delete the launch wizard security group and replace it with a custom security group:

      1. Log In to your AWS Console.
      2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
      3. Move to the Security Group in the Network and Security section from the left navigation pane.
      4. You will find a list of Security Groups available. From the list, choose the vulnerable security group by clicking on the checkbox next to it.
      5. From the Actions menu, click on Delete Security Groups.
      6. Repeat steps 4 to 8 for all the Security Groups you want to fix.