Security Group Change
This alert occurs when Lacework detects a security group permissions change and deletion of a security group.
Why this Alert is Important
A security group is one of the mechanisms to use to limit unauthorized users from accessing certain resources in AWS. For example, this alert triggers if a security group was changed to allow access to a particular resource from anywhere as opposed to any particular IP.
Investigation
Validate that the security group provides access to only those individuals/services that need access. Check who made the last change to the security group and validate if there was a business justification for that change.
Resolution
Ensure that all the rules in the security group are required.
Related Information
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html