Ensure the default security group of every VPC restricts all traffic
A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.
Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.04
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
SecurityGroup where name like 'default' should have inboundRules isEmpty() and outboundRules isEmpty()
REMEDIATION
From Portal
Security Group Members Perform the following to implement the prescribed state:
- Identify AWS resources that exist within the default security group
- Create a set of least privilege security groups for those resources
- Place the resources in those security groups
- Remove the resources noted in #1 from the default security group
Security Group State
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- Repeat the next steps for all VPCs - including the default VPC in each AWS region:
- In the left pane, click 'Security Groups'.
- For each default security group, perform the following:
- Select the default security group
- For each default security group, choose the Inbound rules tab and delete all inbound rules.
- For each default security group, choose the Outbound rules tab and delete all outbound rules.
- Create a set of least-privilege security groups for the resources. See here for more details.
Recommended: IAM groups allow you to edit the 'name' field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to 'DO NOT USE. DO NOT ADD RULES'
From TF
resource "aws_vpc" "mainvpc" {
cidr_block = "10.1.0.0/16"
}
resource "aws_default_security_group" "test" {
vpc_id = aws_vpc.mainvpc.id
ingress {
protocol = -1
self = true
from_port = 0
to_port = 0
}
# OR
egress {
from_port = 0
to_port = 0
protocol = "-1"
}
}
From Command Line
To make sure the default security group of every VPC restricts all traffic, run:
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0
aws ec2 revoke-security-group-egress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0
References
- https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html
AWS Security Group
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CIS Foundations v. 1.0.0
- AWS CIS Foundations v. 1.1.0
- AWS CIS Foundations v. 1.2.0
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard Network Alerts for default VPC components
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago