⭐ Repository → 💼 CIS AWS v6.0.0 → 💼 6 Networking
💼 6.5 Ensure the default security group of every VPC restricts all traffic (Automated)
- ID:
/frameworks/cis-aws-v6.0.0/06/05
Description
A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If a security group is not specified when an instance is launched, it is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic, both inbound and outbound.
The default VPC in every region should have its default security group updated to comply with the following:
- No inbound rules.
- No outbound rules.
Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.
Note: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly, as it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering by discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.
Similar
- Sections
/frameworks/cis-aws-v5.0.0/05/05
Similar Sections (Take Policies From)
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS AWS v5.0.0 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated) | 1 | no data |
Similar Sections (Give Policies To)
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CIS AWS v5.0.0 → 💼 5.5 Ensure the default security group of every VPC restricts all traffic (Automated) | 1 | no data |
Sub Sections
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|
Policies (1)
| Policy | Logic Count | Flags | Compliance |
|---|---|---|---|
| 🛡️ AWS EC2 Default Security Group does not restrict all traffic🟢 | 1 | 🟢 x6 | no data |