AWS Config Rule: EC2 Security Group Attached to ENI

Description: Checks that non-default security groups are attached to Amazon Elastic Compute Cloud (EC2) instances or an elastic network interfaces (ENIs). The rule returns NON_COMPLIANT if the security group is not associated with an EC2 instance or an ENI.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Middle East (UAE), Asia Pacific (Osaka), Canada West (Calgary) Region

This config rule will highlight any Security Groups not in use. Be cautious that any Security Groups that are not in use at the time of the report may be required by auto-scaling groups or any autonomous configuration which creates Instances at set schedules, and looks for existing Security Groups to attach to them.

To resolve this manually however, you will need to head on over to the EC2 Dashboard and select Security Groups from the left hand side column.

From here, you should be able to select the Security Groups you no longer need and from the Actions button, select "Delete Security Group"

Note: If the Security Group is attached to an Instance or Interface at this point - a warning will appear preventing you from deleting the Security Group in question until it is unattached.

If enabled, StackZone can automatically remediate this for you using an SSM Document. It will delete any Security Groups not attached to an Instance or ENI.

In order to enable this remediation, head to your StackZone Console and under Baseline services > Config Rules Regional > Network enable VPC Security Group Attached Remediation

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here