Control: 5.3 Ensure the default security group of every VPC restricts all traffic
Description
A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.
Remediation
Security Group Members Perform the following to implement the prescribed state:
- Identify AWS resources that exist within the default security group.
- Create a set of least privilege security groups for those resources.
- Place the resources in those security groups.
- Remove the resources noted in #1 from the default security group.
From Console
- Login to the AWS VPC Console
- Repeat the next steps for all VPCs - including the default VPC in each AWS region:
- In the left pane, click Security Groups
- For each default security group, perform the following:
- Select the
default
security group - For each default security group, choose the
Inbound rules
tab and delete all inbound rules. - For each default security group, choose the
Outbound rules
tab and delete all outbound rules. - Create a set of least-privilege security groups for the resources. See here for more details.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v130_5_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v130_5_3 --share
SQL
This control uses a named query:
vpc_default_security_group_restricts_all_traffic