Skip to main content

๐Ÿ›ก๏ธ AWS EC2 Default Security Group does not restrict all traffic๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Default Security Group does not restrict all traffic๐ŸŸข
  • ID: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-ecd99f881

Descriptionโ€‹

Open File

Descriptionโ€‹

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

The default VPC in every region should have its default security group updated to comply with the following:

  • No inbound rules.s
  • No outbound rules.

NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Security Group Membersโ€‹

Perform the following to implement the prescribed state:

  1. Identify AWS resources that exist within the default security group.
  2. Create a set of least privilege security groups for those resources.
  3. Place the resources in those security groups.
  4. Remove the resources noted in #1 from the default security group.

Security Group Stateโ€‹

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:

  3. In the left pane, click Security Groups.

  4. For each default security group, perform the following:

    • Select the default security group.
    • Click the Inbound Rules tab.
    • Remove any inbound rules.
    • Click the Outbound Rules tab.
    • Remove any Outbound rules.

IAM groups allow you to edit the name field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to DO NOT USE. DO NOT ADD RULES.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [EC2.2] VPC default security groups should not allow inbound or outbound traffic1no data
๐Ÿ’ผ CIS AWS v1.2.0 โ†’ ๐Ÿ’ผ 4.3 Ensure the default security group of every VPC restricts all traffic1no data
๐Ÿ’ผ CIS AWS v1.3.0 โ†’ ๐Ÿ’ผ 5.3 Ensure the default security group of every VPC restricts all traffic1no data
๐Ÿ’ผ CIS AWS v1.4.0 โ†’ ๐Ÿ’ผ 5.3 Ensure the default security group of every VPC restricts all traffic1no data
๐Ÿ’ผ CIS AWS v1.5.0 โ†’ ๐Ÿ’ผ 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
๐Ÿ’ผ CIS AWS v2.0.0 โ†’ ๐Ÿ’ผ 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
๐Ÿ’ผ CIS AWS v3.0.0 โ†’ ๐Ÿ’ผ 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.0 โ†’ ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.1 โ†’ ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ CIS AWS v5.0.0 โ†’ ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ CIS AWS v6.0.0 โ†’ ๐Ÿ’ผ 6.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access57no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)23681no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1148no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)10850no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)28no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(21) Isolation of System Components (H)24no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)35no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)166no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)48no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)744no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)28no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)18no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained69no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage95no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement326891no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3748no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7 Boundary Protection29452no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(4) Boundary Protection _ External Telecommunications Services28no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(5) Boundary Protection _ Deny by Default โ€” Allow by Exception418no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic24no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(16) Boundary Protection _ Prevent Discovery of System Components25no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(21) Boundary Protection _ Isolation of System Components24no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1056no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.7no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.56no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.56no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.2 Vendor default accounts are managed.9no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.756no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.56no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.2 Vendor default accounts are managed.9no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet3638no data