Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 2.7 Ensure Default EC2 Security groups are not being used

Description

When an EC2 instance is launched a specified custom security group should be assigned to the instance.

When an EC2 Instance is launched the default security group is automatically assigned. In error a lot of instances are launched in this way, and if the default security group is configured to allow unrestricted access, it will increase the attack footprint allowing the opportunity for malicious activity.

Remediation

From Console:

  1. Login to EC2 using https://console.aws.amazon.com/ec2/.
  2. On the left Click Network & Security, click Security Groups.
  3. Select Security Groups.
  4. Click on the default Security Group you want to review.
  5. Click Actions, View details.
  6. Select the Inbound rules tab.
  7. Click on Edit inbound rules.
  8. Click on Delete for all the rules listed.
  9. Once there are no rules listed click on 'Save rules`
  10. Repeat steps no. 3 – 8 for any other default security groups listed.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_2_7 --share

SQL

This control uses a named query:

select
  arn resource,
  case
    when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'
    else 'alarm'
  end status,
  case
    when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0
      then 'Default security group ' || group_id || ' has inbound and outbound rules.'
    when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0
      then 'Default security group ' || group_id || ' has inbound rules.'
    when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0
      then 'Default security group ' || group_id || ' has outbound rules.'
    else 'Default security group ' || group_id || ' has no inbound or outbound rules.'
  end reason
  
  , region, account_id
from
  aws_vpc_security_group
where
  group_name = 'default';

Tags

category = Compliance
cis = true
cis_item_id = 2.7
cis_level = 1
cis_section_id = 2
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/EC2