Ensure the Default Security Group Restrictions Rule
This rule ensures that the default security group in every VPC restricts all traffic.
| Rule | Ensure the default security group of every VPC restricts all traffic |
| Framework | cis_v130 |
| Severity | ✔ High |
Rule Description:
The rule states that the default security group of every Virtual Private Cloud (VPC) should have all traffic restricted according to the CIS AWS Foundations Benchmark version 1.3.0 (cis_v130).
Details:
The default security group is automatically created for each VPC in Amazon Web Services (AWS). It is applied to all instances within the VPC that do not have any explicitly assigned security groups. To meet this rule, the default security group should have inbound and outbound rules that restrict all traffic, conforming to the requirements of the CIS AWS Foundations Benchmark version 1.3.0.
Troubleshooting Steps:
If the default security group does not restrict all traffic as per the CIS benchmark, you can follow the troubleshooting steps below:
- 1.Identify the VPC where the default security group needs to be modified.
- 2.Review the inbound rules of the default security group.
- 3.Ensure that there are no inbound rules allowing unrestricted traffic.
- 4.If any unrestricted inbound rules are present, remove or modify them to comply with the CIS benchmark.
- 5.Review the outbound rules of the default security group.
- 6.Ensure that there are no outbound rules allowing unrestricted traffic.
- 7.If any unrestricted outbound rules are present, remove or modify them to comply with the CIS benchmark.
Necessary Code:
In order to restrict all traffic in the default security group, you need to modify the inbound and outbound rules. Here is an example of AWS CLI commands to update the default security group:
- 1.To update the inbound rules:
aws ec2 revoke-security-group-ingress --group-id <default-security-group-id> --protocol all --source-security-group Name=default
- 1.To update the outbound rules:
aws ec2 revoke-security-group-egress --group-id <default-security-group-id> --protocol all --destination-security-group Name=default
Note: Replace
<default-security-group-id>Remediation Steps:
Follow the step-by-step guide below to remediate the default security group to comply with the CIS benchmark:
- 1.Open the AWS Management Console and navigate to the EC2 service.
- 2.Select the VPC where the default security group needs to be modified.
- 3.Locate the default security group within the selected VPC.
- 4.Click on the "Inbound Rules" tab.
- 5.Validate that there are no inbound rules allowing unrestricted traffic.
- 6.If any unrestricted inbound rules are present, select them and click the "Delete" button.
- 7.Click on the "Outbound Rules" tab.
- 8.Validate that there are no outbound rules allowing unrestricted traffic.
- 9.If any unrestricted outbound rules are present, select them and click the "Delete" button.
- 10.To restrict all traffic, click the "Edit" button for the default security group.
- 11.Remove any existing rules and add new rules to restrict the necessary traffic as per your application requirements.
- 12.Save the changes made to the default security group.
- 13.Repeat these steps for other VPCs in your AWS environment, ensuring that all default security groups comply with the CIS benchmark.
By following these steps and using the provided AWS CLI commands, you can ensure that the default security group of every VPC restricts all traffic as required by the CIS AWS Foundations Benchmark version 1.3.0 (cis_v130).