Why is it that a Security Group in AWS that is not attached to EC2s, ENIs etc did not violate this policy under Networking: LW_AWS_NETWORKING_1 (Security groups are not attached to the EC2 instance)?
LW_AWS_NETWORKING_1 was not triggered because the Security Group in question was either named 'default' hence the policy ignored the SG named thus, or the SG is the default one assigned to the VPC where instances are launched.
AWS automatically assigns a security group, with unrestricted inbound and outbound traffic, called 'default' as mentioned here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html#default-security-group.
See below insert for example.
If the SG is not a default SG and was simply named as such, customers should consider renaming the SG to ensure the policy works as expected.