Automatically delete a specific inbound rule from any security group in AWS

HIMANSHU THAPLIYAL
5 min readJun 12, 2021

--

Fig-1

There can be a situation when you do not want to allow a specific port as inbound rule ( example — 22 for ssh ) in your security groups. This can be due to security reason or any other thing.

Suppose you are a senior architect and you have some junior architects under you. You have assigned them some work regarding security groups or anything.

Now let’ s say one of the junior architect is trying to allow ssh (port 22) inbound rule to a critical server or virtual machine so that he can ssh inside it and take away any data . So if he do so for say 10 minutes, you won’t even know that someone has taken away the data or has done ssh into the virtual machine. You won’t get any alarm also.

So to remove or be safe from such things , AWS Config is a service which will allow you to set rules according to the requirements. In this you just specify the rule and if that rule is not followed by any resource in aws , then it will be visible to you either by an email or other methods.

AWS Config continuously monitors the resources configurations and allows you to automate the evaluation of recorded configurations against desired configurations. So now using this. as soon as the junior architect allows ssh , it will be either automatically remove that inbound rule or alert you by mail.

1: Go to AWS config in aws console-

2: Select Add rule

3: Then select restricted-ssh rule from the list and select next:

4 -Then from resource type section — choose AWS EC2 Security Group

5 — Then press next and your rule is created. Now this rule is just created but it won’t delete any inbound ssh as we haven’t specified that yet. So to do that select your rule —

Go to actions and select Manage Remediation.

6- Here you have 2 options: Automatic and Manual. Choose Automatic since we want the inbound rule to get deleted automatically.

7- Now in Remediation action details choose AWS-DisableIncomingSSHOnPort22 from the drop-down list. Let the other settings be same and come at the Parameter Section.

8- Now in the Resource ID Parameter section -choose SecurityGroupIds. Here you will se that the parameters section at the last for securitygroup ids is greyed out . Let that be same. But we also need a AutomationAssumeRole which is required there.

Now why we need this is because in automatic remediation ,AWS SYSTEM MANAGER will delete the rule using aws config. But to perform any action on any resource the System Manager service requires a role which will give the power to do the action to the security group (which is to delete the rule ).

Now first you need to create the roles from IAM service . So open IAM service in a new tab.

Select roles and create a role.

1- Now select AWS Service

2- Then select System Manager from the list

3-- Then again select System Manager from bottom of the page and press Next Permssions.

4- In policy section , search for the role : AmazonSSMAutomationRole. Select it by ticking from the left and press Next Tags. You can leave the tags for now and select next:review at bottom.

5- Now give you role any name you want AND press create role.

6- After creating the role , go to the role and copy its Role ARN from the top in Summary.

7- Now come back to the aws config screen where it was required to paste the AutomationAssumeRole. Here paste the ARN you copied from the role in the previous step.

8- Then select save changes . So now you have specified everything.

9 After this try to add an ssh inbound rule to any ec2 instance from your console .

Now check aws config rule which you created .

It will show you the resource which is not following the rule you created . Or we can say — it will show you the resource (here security group ) which is not compliant against the rule created and finally it will delete that rule in some seconds Automatically.

Now to see which resource or security group has ssh allowed — select the rule restricted ssh.

Then go at the bottom and check in Resources in scope . You will see that the security group id is mentioned there.

After some seconds or in a minute your ssh rule in security group will delete automatically and here in AWS config , there will be no security group in the resources in scope section .

This is because now the ssh is deleted and hence the resource is following the rule so it is compliant with it.

I hope you like this blog. If you need some help in the same then please comment and let me know.

Thankyou for reading.

--

--

No responses yet