Medium

Ensure launch wizard security groups are not in use by EC2

Security & Compliance
Description

To promote the use of secure and customized security groups that adhere to the Principle of Least Privilege (POLP), it is important to avoid associating Amazon EC2 instances in your AWS cloud account with security groups named with the default prefix "launch-wizard". These security groups have a default configuration that allows inbound/ingress traffic on port 22 from any source (i.e. 0.0.0.0/0), and because they are frequently used, they can increase the risk of malicious activities such as hacking, brute-force, or Denial-of-Service (DoS) attacks.

Remediation

Here are the remediation steps to ensure launch wizard security groups are not in use by EC2:

  1. Identify all Amazon EC2 instances within your AWS account.
  2. For each EC2 instance, check if it is associated with a security group that has a name prefixed with "launch-wizard".
  3. If an EC2 instance is associated with a "launch-wizard" security group, create a new custom security group with specific rules that allow only necessary inbound and outbound traffic.
  4. Associate the custom security group with the EC2 instance and remove its association with the "launch-wizard" security group.
  5. Repeat steps 3 and 4 for all EC2 instances associated with a "launch-wizard" security group.
  6. Ensure that any new EC2 instances launched in the future use the custom security group instead of the default "launch-wizard" security group.

By following these steps, you can ensure that all your EC2 instances are associated with custom security groups that have been configured to follow the Principle of Least Privilege, rather than relying on the default and potentially insecure "launch-wizard" security groups.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.

Step into the Future of SecOps