Skip to main content

AWS Security Group Rule Check

Last updated on

AWS Security Group Rule Check is a built-in Command Probe template that validates whether one or more AWS security groups have rules configured during a chaos experiment. Use it to confirm that network access policy stays intact, for example after a fault that modifies or restricts security group rules.

The probe runs the healthchecks utility bundled in the chaos probe image, queries the Amazon EC2 security group APIs, and prints [Pass] when the targeted security groups have rules of the requested type configured. The comparator marks the probe as passed when the output contains [Pass].

Built-in probe template

This is a built-in Command Probe template that runs on Kubernetes chaos infrastructure. Add it to an experiment from the probe library and customize its inputs. Go to Built-in probe templates to browse the full library, or go to Command probe to understand how command probes work.


Use cases

Use this probe template to:

  • Validate that security group configurations stay intact during chaos.
  • Verify that network access rules are configured as expected.
  • Monitor security posture during infrastructure changes.
  • Confirm that security groups are not left without rules.

How the probe works

The template configures a Command Probe that runs healthchecks -name aws-resource-access-restrict. The utility resolves the security groups listed in SECURITY_GROUP_IDS in the supplied REGION, calls the Amazon EC2 security group APIs, and prints [Pass] when each group has rules of the RULE_TYPE configured. The comparator passes the probe when the output contains [Pass], and fails it otherwise.


Prerequisites

  • Chaos infrastructure: A Kubernetes chaos infrastructure with network access to the Amazon EC2 API endpoints.
  • AWS credentials: Cloud credentials available to the chaos infrastructure, with the permissions listed below.
  • Target security groups exist: Every ID in SECURITY_GROUP_IDS exists in REGION.

Permissions required

The credentials used by the probe need the following AWS actions:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules"
],
"Resource": "*"
}
]
}

The probe uses the AWS credentials available to your chaos infrastructure. Go to AWS IAM integration to set up access through IAM Roles for Service Accounts (IRSA), or go to common policy for all AWS faults to apply a single superset policy.


Probe properties

Command

healthchecks -name aws-resource-access-restrict

Comparator

TypeCriteriaValue
stringcontains[Pass]

The probe passes when the command output contains [Pass], which indicates that the targeted security groups have rules of the requested type configured.

Environment variables

VariableDescriptionRequiredDefault
SECURITY_GROUP_IDSComma-separated list of security group IDs to check (for example, sg-12345678,sg-87654321).Yes-
RULE_TYPEType of rule to check. Accepted values are ingress or egress.Noingress
REGIONAWS region where the security groups are located (for example, us-east-1, eu-west-2).Yes-

Run properties

PropertyDescriptionTypeDefault
timeoutMaximum time to wait for the probe to complete (for example, 30s, 1m, 5m).String300s
intervalTime between probe executions (for example, 5s, 30s, 1m).String10s
attemptNumber of retry attempts before the probe is marked as failed.Integer1
pollingIntervalTime between retry attempts (for example, 1s, 5s, 10s).String-
initialDelayInitial delay before the probe starts (for example, 0s, 10s, 30s).String-
stopOnFailureStop the experiment if the probe fails.Booleanfalse
verbosityLog verbosity level (info, debug, trace).String-

Troubleshooting

AWS Security Group Rule Check probe fails with an authorization error

The credentials available to the chaos infrastructure do not have the required EC2 permissions in the target region. Confirm that the IAM policy attached to the role or IRSA service account includes ec2:DescribeSecurityGroups and ec2:DescribeSecurityGroupRules, and that any policy condition allows the region passed in REGION.

AWS Security Group Rule Check probe cannot find a security group

One or more IDs in SECURITY_GROUP_IDS did not resolve in the supplied REGION. Verify that the security group IDs are correct, that REGION matches the region that owns the security groups, and that the AWS account used by the credentials owns them.

AWS Security Group Rule Check probe fails because no rules were found

The targeted security groups have no rules of the requested RULE_TYPE, which can be the intended outcome of a fault that restricts access. Confirm whether RULE_TYPE (ingress or egress) matches the rules you expect to validate, and whether the experiment is supposed to leave those rules in place at the probe's execution phase.