Rule: The VPC default security group should not allow inbound and outbound traffic
A specific rule stating that the VPC default security group must restrict inbound and outbound traffic to ensure security.
| Rule | The VPC default security group should not allow inbound and outbound traffic |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description:
The VPC default security group should not allow inbound and outbound traffic. This rule ensures that the default security group, which is created automatically when setting up a VPC (Virtual Private Cloud) in AWS, is configured properly to maintain a secure network environment.
Remediation:
To remediate this issue, follow the step-by-step guide provided below:
- 1.Log in to the AWS Management Console.
- 2.Go to the EC2 (Elastic Compute Cloud) Dashboard.
- 3.Click on the "Security Groups" option on the left-hand side menu.
- 4.Locate the default security group in the list.
- 5.Select the default security group and click on the "Inbound Rules" tab.
- 6.Remove any inbound rules that allow unwanted traffic. By default, the "All Traffic" inbound rule is added, which allows all types of traffic. Remove this rule.
- 7.Click on the "Outbound Rules" tab.
- 8.Remove any outbound rules that allow unwanted traffic. By default, the "All Traffic" outbound rule is added, which allows all types of outbound traffic. Remove this rule as well.
- 9.Once you have removed the unwanted inbound and outbound rules, click on the "Save" button to apply the changes.
Troubleshooting Steps:
If the VPC default security group is not properly configured and still allows inbound and outbound traffic after following the remediation steps above, perform the following troubleshooting steps:
- 1.Verify that you are modifying the correct security group. Double-check the security group name and ID.
- 2.Ensure that the changes have been successfully saved by refreshing the security group page and verifying the inbound and outbound rules.
- 3.If the changes are not taking effect, ensure that the VPC is associated with the modified default security group.
- 4.Verify if any network ACLs (Access Control Lists) are overriding the security group rules. ACLs are applied at the subnet level and could potentially allow or block traffic even if the default security group is properly configured.
- 5.If you are still unable to resolve the issue, consider reaching out to AWS Support for further assistance.
Additional Information:
To automate the remediation process or perform it programmatically using the AWS CLI (Command Line Interface), you can utilize the following AWS CLI commands:
- 1.
To remove the unwanted inbound rule:
aws ec2 revoke-security-group-ingress --group-id <your-security-group-id> --protocol -1 --port -1 --source-group <your-security-group-id> - 2.
To remove the unwanted outbound rule:
aws ec2 revoke-security-group-egress --group-id <your-security-group-id> --protocol -1 --port -1 --destination-group <your-security-group-id>
Replace "<your-security-group-id>" with the actual ID of the default security group.