Deleting unused security groups in AWS

In Amazon Web Services (AWS), a Security Group is a fundamental component of network security that acts as a virtual firewall for your cloud resources. It allows you to control inbound and outbound traffic to and from AWS resources like Amazon Elastic Compute Cloud (EC2) instances, Relational Database Service (RDS) instances, and other services.

Here are some of the key characteristics and functions of AWS Security Groups:

1. Traffic Control: Security Groups control traffic flow based on rules you define. You can specify which IP addresses, IP ranges, or other Security Groups are allowed to access your AWS resources and the ports they can use for communication.
2. Stateful: Security Groups are stateful, which means that if you allow incoming traffic from a particular IP address or range, the corresponding outbound reply traffic is automatically allowed. You don’t need to create separate rules for incoming and outgoing traffic.
3. Implicit Deny: By default, all inbound and outbound traffic is denied unless you explicitly allow it by creating rules in the Security Group. This “implicit deny” principle ensures that you have fine-grained control over your network security.
4. Application-Level Control: You can configure Security Groups to allow or deny traffic at the application layer (e.g., by specifying port numbers for services like HTTP, HTTPS, SSH, etc.). This level of control enables you to secure your resources based on specific application requirements.
5. Flexible Rules: Security Groups support flexible rule configurations. You can create rules allowing access from specific IP addresses or IP ranges, from other Security Groups, or AWS resources within the same Virtual Private Cloud (VPC).
6. Dynamic Updates: You can modify Security Group rules anytime to adapt to changing security requirements. Changes take effect immediately, providing agility in managing your network security.
7. Resource Associations: Security Groups can be associated with multiple AWS resources. For example, you can use the same Security Group to secure multiple EC2 or RDS database instances.
8. A layer of Defense: Security Groups are one layer of defence in the AWS shared responsibility model for security. While AWS manages the underlying infrastructure’s safety, you are responsible for securing your resources using tools like Security Groups.

Security Check for Unused Security Groups

As per [EC2.22] Unused Amazon EC2 security groups should be removed, you have to remove the unused security groups.

This means you have to remove these unused security groups.

But the question is how can you find out the unused security groups? So here are some steps that you can follow to clean up your security groups.

List all security groups

First, we will list all the security groups in a region. It would be best if you could write them into a file.

aws ec2 describe-security-groups --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"  --output text | tr '\t' '\n' | sort | uniq

Find used security groups

Use the following AWS CLI commands to find the used security groups.

aws ec2 describe-instances --query "Reservations[*].Instances[*].SecurityGroups[*].GroupId" --output text | tr '\t' '\n' | sort | uniq > used_security_groups.txt

Then, you can just do a vlookup in MS excel to find the unused security groups, comparing the used and all security groups.

Now with these security groups, we have to validate whether they are referenced anywhere else as well.

1. AWS Lambda
2. DB instances
3. EC2 instances
4. Launch templates
5. LoadBalancers

for i in `cat unused_security_groups.txt` ; do aws lambda list-functions --query "Functions[?VpcConfig.SecurityGroupIds && contains(VpcConfig.SecurityGroupIds, \`$i\`)].FunctionName";aws rds describe-db-instances --query "DBInstances[?contains(VpcSecurityGroups[].VpcSecurityGroupId, \`$i\`)].DBName";aws ec2 describe-instances --query "Reservations[].Instances[?SecurityGroups[].GroupId && contains(SecurityGroups[].GroupId, \`$i\`)].{InstanceId: InstanceId, Name: Tags[?Key==\`Name\`].Value | [0]}";aws ec2 describe-launch-template-versions --versions '$Latest' --query "LaunchTemplateVersions[?LaunchTemplateData.NetworkInterfaces[].Groups[] && contains(LaunchTemplateData.NetworkInterfaces[].Groups[], \`$i\`)].LaunchTemplateName";aws elb describe-load-balancers --query "LoadBalancerDescriptions[?contains(SecurityGroups[],  \`$i\`)]. LoadBalancerName"; done

Once you have validated that these security groups are not used, you can proceed to delete them

Delete the security groups

for id in `cat sg-to-delete.txt` ; do echo $id ; aws ec2 delete-security-group --group-id $id --region=ap-southeast-2; done

Unused Security Groups can clutter your AWS account, making it difficult to manage and potentially leading to security vulnerabilities.
Let me know your thoughts.