Skip to main content

🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢

  • Contextual name: 🛡️ Default Security Group does not restrict all traffic🟢
  • ID: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic

Similar Policies

Similar Internal Rules

RulePoliciesFlags
✉️ dec-x-ecd99f881

Description

Open File

Description

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.

The default VPC in every region should have its default security group updated to comply with the following:

  • No inbound rules.s
  • No outbound rules.

NOTE: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

... see more

Remediation

Open File

Remediation

Security Group Members

Perform the following to implement the prescribed state:

  1. Identify AWS resources that exist within the default security group.
  2. Create a set of least privilege security groups for those resources.
  3. Place the resources in those security groups.
  4. Remove the resources noted in #1 from the default security group.

Security Group State

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:

  3. In the left pane, click Security Groups.

  4. For each default security group, perform the following:

    • Select the default security group.
    • Click the Inbound Rules tab.
    • Remove any inbound rules.
    • Click the Outbound Rules tab.
    • Remove any Outbound rules.

IAM groups allow you to edit the name field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to DO NOT USE. DO NOT ADD RULES.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.2] VPC default security groups should not allow inbound or outbound traffic1no data
💼 CIS AWS v1.2.0 → 💼 4.3 Ensure the default security group of every VPC restricts all traffic1no data
💼 CIS AWS v1.3.0 → 💼 5.3 Ensure the default security group of every VPC restricts all traffic1no data
💼 CIS AWS v1.4.0 → 💼 5.3 Ensure the default security group of every VPC restricts all traffic1no data
💼 CIS AWS v1.5.0 → 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
💼 CIS AWS v2.0.0 → 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
💼 CIS AWS v3.0.0 → 💼 5.4 Ensure the default security group of every VPC restricts all traffic - Level 2 (Automated)1no data
💼 CIS AWS v4.0.0 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 CIS AWS v4.0.1 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 CIS AWS v5.0.0 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 CIS AWS v6.0.0 → 💼 6.5 Ensure the default security group of every VPC restricts all traffic (Automated)1no data
💼 Cloudaware Framework → 💼 Secure Access55no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)23679no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1146no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)10848no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)28no data
💼 FedRAMP High Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)18no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)22no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)33no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)164no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)46no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)742no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)28no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)18no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events120no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events139no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained48no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected118no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected98no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected112no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage70no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement326889no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3746no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection29450no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services28no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception418no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic22no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components23no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components22no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1035no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.6no data
💼 PCI DSS v3.2.1 → 💼 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.18no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.35no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.35no data
💼 PCI DSS v4.0.1 → 💼 2.2.2 Vendor default accounts are managed.8no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.735no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.35no data
💼 PCI DSS v4.0 → 💼 2.2.2 Vendor default accounts are managed.8no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet3638no data