Skip to main content

Security Group Change

This alert occurs when Lacework detects a security group permissions change and deletion of a security group.

Why this Alert is Important

A security group is one of the mechanisms to use to limit unauthorized users from accessing certain resources in AWS. For example, this alert triggers if a security group was changed to allow access to a particular resource from anywhere as opposed to any particular IP.

Investigation

Validate that the security group provides access to only those individuals/services that need access. Check who made the last change to the security group and validate if there was a business justification for that change.

Resolution

Ensure that all the rules in the security group are required.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html