Skip to main content

🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢

  • Contextual name: 🛡️ Default Security Group does not restrict all traffic🟢
  • ID: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-ecd99f881

Description

Open File

Description

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

The default VPC in every region should have its default security group updated to comply with the following:

  • No inbound rules.
  • No outbound rules.

NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

... see more

Remediation

Open File

Remediation

Security Group Members

Perform the following to implement the prescribed state:

  1. Identify AWS resources that exist within the default security group.
  2. Create a set of least privilege security groups for those resources.
  3. Place the resources in those security groups.
  4. Remove the resources noted in #1 from the default security group.

Security Group State

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:

  3. In the left pane, click Security Groups.

  4. For each default security group, perform the following:

    • Select the default security group.
    • Click the Inbound Rules tab.
    • Remove any inbound rules.
    • Click the Outbound Rules tab.
    • Remove any outbound rules.

IAM groups allow you to edit the name field. After remediating default group rules for all VPCs in all regions, edit this field to add text similar to DO NOT USE. DO NOT ADD RULES.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.2] VPC default security groups should not allow inbound or outbound traffic1no data
💼 CIS AWS v1.2.0 → 💼 4.3 Ensure the default security group of every VPC restricts all traffic1no data
💼 CIS AWS v1.3.0 → 💼 5.3 Ensure the default security group of every VPC restricts all traffic1no data
💼 CIS AWS v1.4.0 → 💼 5.3 Ensure the default security group of every VPC restricts all traffic1no data
💼 CIS AWS v1.5.0 → 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
💼 CIS AWS v2.0.0 → 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
💼 CIS AWS v3.0.0 → 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
💼 CIS AWS v4.0.0 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 CIS AWS v4.0.1 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 CIS AWS v5.0.0 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 CIS AWS v6.0.0 → 💼 6.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 Cloudaware Framework → 💼 Network Exposure132no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)237105no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1163no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)10884no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)49no data
💼 FedRAMP High Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)19no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)37no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)49no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)189no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)63no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)768no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)49no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)19no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained89no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage123no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement3269123no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3763no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection29493no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services49no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception419no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic37no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components37no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components37no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1065no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.15no data
💼 PCI DSS v3.2.1 → 💼 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.111no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.65no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.65no data
💼 PCI DSS v4.0.1 → 💼 2.2.2 Vendor default accounts are managed.11no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.765no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.65no data
💼 PCI DSS v4.0 → 💼 2.2.2 Vendor default accounts are managed.11no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet3638no data