Rule: Ensure the Default Security Group of Every VPC Restricts All Traffic
This rule focuses on restricting all traffic in the default security group of each VPC to enhance network security.
| Rule | Ensure the default security group of every VPC restricts all traffic |
| Framework | cis_v140 |
| Severity | ✔ High |
Rule Overview
The rule "Ensure the default security group of every VPC restricts all traffic" is based on the CIS (Center for Internet Security) AWS Foundations Benchmark v1.4.0. The intention of this rule is to ensure that the default security group in a VPC does not allow unrestricted inbound or outbound traffic. This is a critical security best practice, as unrestricted security groups can provide an open door for malicious activities such as unauthorized access or data exfiltration.
Troubleshooting Steps
If this rule is violated, it suggests that the default security group of a VPC is misconfigured. To troubleshoot, you need to inspect the inbound and outbound rules of the default security group.
Check Security Group Rules
- 1.Go to the AWS Management Console.
- 2.Navigate to the VPC Dashboard.
- 3.Select 'Security Groups' from the sidebar.
- 4.Identify the default security group (usually named "default" and marked as such).
- 5.Review the Inbound and Outbound rules for any rules that allow all traffic (0.0.0.0/0 or ::/0).
Remediate Security Group Rules
If any unrestricted traffic is permitted, the following steps will correct the issue:
- 1.Select the default security group in question.
- 2.For each rule that allows unrestricted traffic, either delete the rule or modify it to narrow the scope of allowed traffic.
Necessary AWS CLI Commands
To view the inbound and outbound rules of the default security group, the following AWS CLI (Command Line Interface) commands can be used:
List Security Groups
aws ec2 describe-security-groups --filters Name=group-name,Values='default' --query 'SecurityGroups[*].{ID:GroupId, Tags:Tags}'
Review Security Group Rules
aws ec2 describe-security-group-rules --filters Name=group-id,Values='sg-xxxxxxxx'
Replace 'sg-xxxxxxxx' with the actual Security Group ID of the default security group.
Remove Inbound Rule
aws ec2 revoke-security-group-ingress --group-id sg-xxxxxxxx --protocol all --cidr 0.0.0.0/0
Remove Outbound Rule
aws ec2 revoke-security-group-egress --group-id sg-xxxxxxxx --protocol all --cidr 0.0.0.0/0
Repeat these revoke commands for each unwanted rule identified.
Step by Step Guide for Remediation
To restrict all traffic through the default security group of a VPC, follow this step-by-step guide:
Step 1: List the default security groups
Use the above List Security Groups AWS CLI command to identify default security groups.
Step 2: Review the security group rules
Use the above Review Security Group Rules AWS CLI command to inspect the inbound and outbound rules.
Step 3: Revoke unrestricted access
For each rule that allows unrestricted access, use the Revoke Inbound Rule and Revoke Outbound Rule AWS CLI commands to remedy the problem.
By following these steps and commands, you can ensure that the default security group in every VPC follows CIS benchmarks and does not allow unrestricted traffic. This will help maintain a strong security posture and protect your cloud environment from potential threats.