Ensure the default security group of every VPC restricts all traffic

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you dont specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

Risk Level: High
Cloud Entity: Amazon VPC
CloudGuard Rule ID: D9.TF.AWS.NET.03
Covered by Spectral: No
Category: Compute


aws_default_security_group should not have ingress with [cidr_blocks contain [''] or ipv6_cidr_blocks contain ['::/0']] or egress with [cidr_blocks contain [''] or ipv6_cidr_blocks contain ['::/0']]


  1. Run aws ec2 describe-security-groups 2. For each group allow ingress for or egress for 2.1 Run aws ec2 delete-security-configuration --group-ids <group>

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Compliance Frameworks

  • Terraform AWS CIS Foundations