Are you trying to fix Aws error "An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group." ?
This guide is for you.
Sometimes while trying to create AWS Systems Manager Automation document AWS-DisablePublicAccessForSecurityGroup to disable SSH and RDP ports, users might experience an auto-remediation failure in relation with AWS Config rule vpc-sg-open-only-to-authorized-ports.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to fix AWS related errors.
In this context, you shall learn how to fix this error.
Nature of the error "InvalidPermission.NotFound" with the AWS Config rule and Systems Manager Automation ?
As earlier stated, AWS users might experience an error such as this;
"An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group."
This has to do with the the AWS Config rule vpc-sg-open-only-to-authorized-ports and Systems Manager Automation document AWS-DisablePublicAccessForSecurityGroup which throws an error;
Basically, the AWS Config rule checks that the security group allows inbound TCP or UDP traffic to 0.0.0.0/0. For example, to allow TCP ports 443 and 1020-1025 access to 0.0.0.0/0, specify the ports in the AWS Config rule parameter.
In this case, the SSM Document AWS-DisablePublicAccessForSecurityGroup is limited to the default SSH 22 and RDP 3389 ports opened to all IP addresses (0.0.0.0/0), or a specified IPv4 address using the IpAddressToBlock parameter.
How to fix the error "InvalidPermission.NotFound" with the AWS Config rule and Systems Manager Automation ?
The client error InvalidPermission.NotFound with the RevokeSecurityGroupIngress API action means that the target security group doesn't have an inbound rule, or isn't located in the default Amazon Virtual Private Cloud (Amazon VPC).
Note: Before you begin, be sure that you installed and configured the AWS Command Line Interface (AWS CLI).
To verify the error message, run the AWS CLI command describe-remediation-execution-status similar to the following:
aws configservice describe-remediation-execution-status --config-rule-name vpc-sg-open-only-to-authorized-ports --region af-south-1 --resource-keys resourceType=AWS::EC2::SecurityGroup,resourceId=sg-1234567891234567891
The inbound rules for the security group must specify open ports using one of the following patterns:
SSH or RDP port + 0.0.0.0/0
SSH or RDP port + ::/0
To configure auto-remediation for other ports including 22 and 3389, you can use a custom SSM document to automate the process.