Security group not created using the EC2 Launch Wizard
ec2_securitygroup_from_launch_wizard
EC2 security groups whose names include launch-wizard are identified as created by the EC2 Launch Wizard, distinguishing auto-generated groups from curated, baseline-controlled groups.
Risk
Wizard-generated groups often include overly permissive rules (e.g., 0.0.0.0/0 to admin ports), expanding exposure. Attackers can run port scans and brute-force to gain entry, then lateral movement and data exfiltration, impacting confidentiality and integrity; broad egress aids command-and-control.
prowler aws --checks ec2_securitygroup_from_launch_wizard
Recommendation
Replace or harden these groups. Apply least privilege: restrict inbound to required sources, avoid public admin ports, and minimize egress. Use approved baseline security groups, enforce change control with IaC and guardrails, prefer private administration (bastion or Session Manager), and remove unused rules.
Remediation
aws ec2 delete-security-group --group-id <SECURITY_GROUP_ID>
- In the AWS console, go to EC2 > Network & Security > Security Groups
- In the search box, filter by Name contains "launch-wizard"
- For each matching group, open the References tab and remove it from any ENIs/instances by replacing it with a different security group
- Select the launch-wizard security group and choose Actions > Delete security group > Delete
- Verify no security groups remain with names containing "launch-wizard"
Source Code
Resource Type
AwsEc2SecurityGroup