Unused Security Groups Should Be Removed

More Info:

Non-default security groups were defined which were unused and may not be required. This being the case, their existence in the configuration increases the risk that they may be inappropriately assigned. The unused security groups should be reviewed and removed if no longer required.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the issue of unused security groups in AWS using AWS CLI, follow these steps:

List all the security groups that are not associated with any EC2 instances:

aws ec2 describe-security-groups --query "SecurityGroups[?length(Instances) == '0'].{Name:GroupName, ID:GroupId}"

Identify the security group that you want to delete from the list obtained in the previous step.
Delete the unused security group using the following command:

aws ec2 delete-security-group --group-id YOUR_SECURITY_GROUP_ID

Make sure to replace YOUR_SECURITY_GROUP_ID with the actual ID of the security group you want to delete.

Confirm the deletion by listing the security groups again:

aws ec2 describe-security-groups --query "SecurityGroups[?length(Instances) == '0'].{Name:GroupName, ID:GroupId}"

By following these steps, you can remediate the issue of unused security groups in AWS using AWS CLI.

Using Python

To remediate the issue of unused security groups in AWS using Python, you can follow these steps:

Install the Boto3 library:

pip install boto3

Use the following Python script to identify and delete unused security groups:

import boto3

def get_unused_security_groups():
    ec2 = boto3.client('ec2')
    
    # Get all security groups
    response = ec2.describe_security_groups()
    security_groups = response['SecurityGroups']
    
    # Get all instances
    response = ec2.describe_instances()
    instances = []
    for reservation in response['Reservations']:
        instances.extend(reservation['Instances'])
    
    # Get security group IDs attached to instances
    used_security_groups = set()
    for instance in instances:
        for sg in instance.get('SecurityGroups', []):
            used_security_groups.add(sg['GroupId'])
    
    # Identify unused security groups
    unused_security_groups = [sg for sg in security_groups if sg['GroupId'] not in used_security_groups]
    
    return unused_security_groups

def delete_security_group(group_id):
    ec2 = boto3.client('ec2')
    
    # Delete the security group
    response = ec2.delete_security_group(GroupId=group_id)
    print(f"Deleted security group: {group_id}")

if __name__ == '__main__':
    unused_security_groups = get_unused_security_groups()
    for sg in unused_security_groups:
        delete_security_group(sg['GroupId'])

Replace the AWS credentials in the AWS CLI configuration file located at ~/.aws/credentials or use an IAM role that has the necessary permissions to list and delete security groups.
Run the Python script to identify and delete the unused security groups.

Please ensure that you have the necessary permissions to delete security groups before running this script.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unused Security Groups Should Be Removed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: