Detections
Analytics

6.21 Create the App tier ELB Security Group and ensure only accepts HTTP/HTTPS

Information

A _security group_ acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in the AWS Virtual Private Cloud (VPC), you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

 For each security group, you add _rules_ that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
The SG associated with the App tier ELB should allow connectivity from the security group associated with Web tier instances only for the HTTP (TCP 80) and HTTPS (TCP 443) ports.

 The defaults for HTTP and HTTPS are used as an example, any other ports would apply depending on the application design.

Solution

Using the Amazon unified command line interface:

* First remove all the ingress rules for the security group associated with the App tier ELB:

 aws ec2 describe-security-groups --group-id <_app_tier_elb_security_group_> --query "SecurityGroups[0].IpPermissions" > /tmp/IpPermissions.json
aws ec2 revoke-security-group-ingress --group-id <_app_tier_elb_security_group_> --ip-permissions file:///tmp/IpPermissions.json

* create locally the below json file containing ingress rules for HTTP (TCP 80) and HTTPS (TCP 443) ports only from <web_tier_security_group> and name it IpPermissions.json:

 [
 {
 "PrefixListIds": [],
 "FromPort": 80,
 "IpRanges": [],
 "ToPort": 80,
 "IpProtocol": "tcp",
 "UserIdGroupPairs": [
 {
 "UserId": "<_aws_account_number>_",
 "GroupId": "<web_tier_security_group>"
 }
 ]
 },
 {
 "PrefixListIds": [],
 "FromPort": 443,
 "IpRanges": [],
 "ToPort": 443,
 "IpProtocol": "tcp",
 "UserIdGroupPairs": [
 {
 "UserId": "<_aws_account_number>_",
 "GroupId": "<web_tier_security_group>"
 }
 ]
 }
]

* Add to the security group associated with the App tier ELB the above ingress rules:

 aws ec2 authorize-security-group-ingress --group-id <_app_tier_elb_security_group_> --ip-permissions file:///PathTo/IpPermissions.json

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: amazon_aws

Control ID: 9dec97218e1df0825342902dec4f116fb5f4611d6b0e3c8c1d2bfac10f0a7c1b