Skip to main content


This Script is part of the AWS Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Automation to determine which interface on an EC2 instance has an over-permissive security group, determine which security groups have over-permissive rules and replace them with a copy of the security group that has only the over-permissive portion removed. Over-permissive is defined as sensitive ports (SSH, RDP, etc.) being exposed to the internet via IPv4.

Script Data#

Script Typepython3
Cortex XSOAR Version6.5.0


This script uses the following commands and scripts.

  • aws-ec2-revoke-security-group-egress-rule
  • aws-ec2-authorize-security-group-ingress-rule
  • aws-ec2-authorize-security-group-egress-rule
  • aws-ec2-describe-instances
  • aws-ec2-revoke-security-group-ingress-rule
  • aws-ec2-create-security-group

Used In#

This script is used in the following playbooks and scripts.

  • AWS - Security Group Remediation v2


Argument NameDescription
instance_idEC2 Instance ID.
portTCP/UDP port to be restricted.
protocolProtocol of the port to be restricted.
public_ipPublic IP address of the EC2 instance.
assume_roleName of an AWS role to assume (should be the same for all organizations).
regionRegion where EC2 instance is present.


awssgrecreatedSets the value to true or false if the security group is created.boolean