Default Security Groups - with network policies

The VPC default security group is automatically created, can't be deleted and by default is created with a rule allowing all inbound and outbound traffic. AWS and CloudGuard's best practice is to keep the default Security Group without any rules and avoid using it.

Risk Level: Medium
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.1001
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup where name='default' should have inboundRules isEmpty() and outboundRules isEmpty()

REMEDIATION

From Portal
Security Group Members Perform the following to implement the prescribed state:

  1. Identify AWS resources that exist within the default security group
  2. Create a set of least privilege security groups for those resources
  3. Place the resources in those security groups
  4. Remove the resources noted in #1 from the default security group

Security Group State

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
  3. In the left pane, click 'Security Groups'.
  4. For each default security group, perform the following:
  5. Select the default security group
  6. For each default security group, choose the Inbound rules tab and delete all inbound rules.
  7. For each default security group, choose the Outbound rules tab and delete all outbound rules.
  8. Create a set of least-privilege security groups for the resources. See here for more details.
    Recommended: IAM groups allows you to edit the 'name' field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to 'DO NOT USE. DO NOT ADD RULES'

From TF

resource "aws_default_security_group" "default" {
	vpc_id = aws_vpc.ok_vpc.id
}

From Command Line
To make sure the default security group of every VPC restricts all traffic, run:

aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0
aws ec2 revoke-security-group-egress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0

References

  1. https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Dashboards