Skip to main content

๐Ÿ›ก๏ธ AWS EC2 Default Security Group does not restrict all traffic๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Default Security Group does not restrict all traffic๐ŸŸข
  • ID: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-ecd99f881

Descriptionโ€‹

Open File

Descriptionโ€‹

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

The default VPC in every region should have its default security group updated to comply with the following:

  • No inbound rules.s
  • No outbound rules.

NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

Security Group Membersโ€‹

Perform the following to implement the prescribed state:

  1. Identify AWS resources that exist within the default security group.
  2. Create a set of least privilege security groups for those resources.
  3. Place the resources in those security groups.
  4. Remove the resources noted in #1 from the default security group.

Security Group Stateโ€‹

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:

  3. In the left pane, click Security Groups.

  4. For each default security group, perform the following:

    • Select the default security group.
    • Click the Inbound Rules tab.
    • Remove any inbound rules.
    • Click the Outbound Rules tab.
    • Remove any Outbound rules.

IAM groups allow you to edit the name field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to DO NOT USE. DO NOT ADD RULES.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [EC2.2] VPC default security groups should not allow inbound or outbound traffic1no data
๐Ÿ’ผ CIS AWS v1.2.0 โ†’ ๐Ÿ’ผ 4.3 Ensure the default security group of every VPC restricts all traffic1no data
๐Ÿ’ผ CIS AWS v1.3.0 โ†’ ๐Ÿ’ผ 5.3 Ensure the default security group of every VPC restricts all traffic1no data
๐Ÿ’ผ CIS AWS v1.4.0 โ†’ ๐Ÿ’ผ 5.3 Ensure the default security group of every VPC restricts all traffic1no data
๐Ÿ’ผ CIS AWS v1.5.0 โ†’ ๐Ÿ’ผ 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
๐Ÿ’ผ CIS AWS v2.0.0 โ†’ ๐Ÿ’ผ 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
๐Ÿ’ผ CIS AWS v3.0.0 โ†’ ๐Ÿ’ผ 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.0 โ†’ ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ CIS AWS v4.0.1 โ†’ ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ CIS AWS v5.0.0 โ†’ ๐Ÿ’ผ 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ CIS AWS v6.0.0 โ†’ ๐Ÿ’ผ 6.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Secure Access57no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)23789no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1152no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)10864no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)35no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(21) Isolation of System Components (H)28no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)40no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)173no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)52no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)753no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)35no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)18no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events150no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events149no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained76no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected164no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected140no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected156no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage103no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement326999no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3752no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7 Boundary Protection29466no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(4) Boundary Protection _ External Telecommunications Services35no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(5) Boundary Protection _ Deny by Default โ€” Allow by Exception418no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic28no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(16) Boundary Protection _ Prevent Discovery of System Components29no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(21) Boundary Protection _ Isolation of System Components28no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1060no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.11no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.60no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.60no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.2 Vendor default accounts are managed.9no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.760no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.60no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.2 Vendor default accounts are managed.9no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet3638no data