EC2 instance security group

sadiya yousaf
sadiya yousaf used Ask the Experts™
We use aws EC2 instances in our office, sometimes forget to detach security group from instance which is business requirement. Is there anyway to find out who have added the security group and when?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

You can get it through the CloudTrail log and I presume you have send it to S3 bucket or CloudWatch.

Best to use Athena to query for suspicious event that changes the Security Groups (SG).

Specific for SG changes to catch in Cloudwatch is to define Logs Metric Filter screen with below Filter Pattern. The
{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }

  • AuthorizeSecurityGroupEgress, AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress, RevokeSecurityGroupIngress, CreateSecurityGroup, DeleteSecurityGroup - Monitoring changes to SG ingress and egress settings is a "must check" capability, and is worth listening out for.

There are other key event name to watch out for foul play.

StopLogging - An event type that comes from CloudTrail itself. Monitoring this event type can help you catch anyone deactivating CloudTrail logging, be that maliciously or otherwise.

CreateNetworkAclEntry , CreateRoute - These two VPC changes are worth monitoring. New ACL entries and routes in your route tables can expose new attack vectors to your infrastructure and are handy for your SecOps team to monitor.

ApplySecurityGroupsToLoadBalancer, SetSecurityGroups - These are Elastic Load Balancer specific security group events and worth listening out for too. Here we monitor changes in which SG are selected.

AuthorizeDBSecurityGroupIngress, CreateDBSecurityGroup, DeleteDBSecurityGroup, RevokeDBSecurityGroupIngress - These are the same as above, but of the RDS flavour and still worth monitoring, especially for internet facing RDS instances.
Dhec NaagCloud Expert / System Operations

First ensure that no one uses the root account and everyone should be using IAM including you, second is you follow what @btan said above and his recommendations, I second his solution as it was the best practice.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial