Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 6.5 Ensure the default security group of every VPC restricts all traffic

Description

A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If a security group is not specified when an instance is launched, it is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic, both inbound and outbound.

The default VPC in every region should have its default security group updated to comply with the following:

  • No inbound rules.
  • No outbound rules.

Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Note: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly, as it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering by discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.

Remediation

Perform the following to implement the prescribed state:

Security Group Members

  1. Identify AWS resources that exist within the default security group
  2. Create a set of least-privilege security groups for those resources.
  3. Place the resources in those security groups, removing the resources noted in step 1 from the default security group

From Console:

  1. Login to the AWS VPC Console at https://console.aws.amazon.com/vpc/home.
  2. Repeat the following steps for all VPCs, including the default VPC in each AWS region:
  3. In the left pane, click Security Groups.
  4. For each default security group, perform the following:
  • Select the default security group.
  • Click the Inbound Rules tab.
  • Remove any inbound rules.
  • Click the Outbound Rules tab.
  • Remove any Outbound rules.

From Command Line:

  1. List all default security groups in the specified region
aws ec2 describe-security-groups --region <region-name> --query 'SecurityGroups[?GroupName == `default`]'
  1. Check if the inbound rules (IpPermissions) and outbound rules (IpPermissionsEgress) of the default security group are empty. If the rules are not empty, proceed and note down the Security Group ID (GroupId) of the security group with non-empty rules.
  2. List the inbound security group rule IDs (SecurityGroupRuleId)
aws ec2 describe-security-group-rules --region <region-name> --query 'SecurityGroupRules[?GroupId == `<default-security-group-id>` && IsEgress == `false`]'
  1. Delete the inbound security group rules based on their rule IDs
aws ec2 revoke-security-group-ingress --group-id <default-security-group-id> --security-group-rule-ids <inbound-rule-id-1> <inbound-rule-id-2>
  1. List the outbound security group rule IDs (SecurityGroupRuleId)
aws ec2 describe-security-group-rules --region <region-name> --query 'SecurityGroupRules[?GroupId == `<default-security-group-id>` && IsEgress == `true`]'
  1. Delete the outbound security group rules based on their rule IDs
aws ec2 revoke-security-group-egress --group-id <default-security-group-id> --security-group-rule-ids <outbound-rule-id-1> <outbound-rule-id-2>

Recommended

IAM groups allow you to edit the "name" field. After remediating default group rules for all VPCs in all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES."

Default Value:

By default, each VPC has a “default” security group that allows all outbound traffic and all traffic between resources within the group. No restrictions are enforced unless manually configured.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_6_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_6_5 --share

SQL

This control uses a named query:

select
  arn resource,
  case
    when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'
    else 'alarm'
  end status,
  case
    when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0
      then 'Default security group ' || group_id || ' has inbound and outbound rules.'
    when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0
      then 'Default security group ' || group_id || ' has inbound rules.'
    when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0
      then 'Default security group ' || group_id || ' has outbound rules.'
    else 'Default security group ' || group_id || ' has no inbound or outbound rules.'
  end reason
  
  , region, account_id
from
  aws_vpc_security_group
where
  group_name = 'default';

Tags

category = Compliance
cis = true
cis_item_id = 6.5
cis_level = 2
cis_section_id = 6
cis_type = automated
cis_version = v6.0.0
plugin = aws
service = AWS/VPC