6.22 Create the App tier Security Group and ensure it allows inbound connections from App tier ELB Security Group for explicit ports

Information

A _security group_ acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in the AWS Virtual Private Cloud (VPC), you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add _rules_ that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

This is required for both the configured port and protocol for the listener on the back-end instance and the port and protocol used for the health check.
This protects the App-server tier from unauthorized access, it is recommended to add inbound security group rules that allow traffic for the specific application protocol and ports by referencing as source the security group associated with the App tier ELB.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using the Amazon unified command line interface:

* First remove all the ingress rules for the App tier security group (use the "AppTierSecurityGroup" element from Audit procedure):

aws ec2 describe-security-groups --group-id _<__app_tier_security_group_> --query "SecurityGroups[0].IpPermissions" > /tmp/IpPermissions.json
aws ec2 revoke-security-group-ingress --group-id _<__app_tier_security_group_> --ip-permissions file:///tmp/IpPermissions.json

* Add an ingress rule for a specific port, using --source-group option to specify the App tier ELB security group as the source of the connections:

aws ec2 authorize-security-group-ingress --group-id _<__app_tier_security_group_> --protocol tcp --port _<specific_port>_ --source-group _<__app_tier_elb_security_group_>

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: amazon_aws

Control ID: 84408925e6d6aa5633c5283856956c19b1867c5741a697bfb379c91f09fea940