Rule: VPC Default Security Group Restriction
This rule ensures VPC default security group does not allow inbound and outbound traffic.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
VPC Default Security Group Rule for CISA Cyber Essentials
Description:
The VPC default security group is the default firewall for your Amazon Virtual Private Cloud (VPC) that controls inbound and outbound traffic. This rule ensures that the default security group does not allow any inbound or outbound traffic specifically for the CISA Cyber Essentials requirements.
Policy:
The VPC default security group should be configured to deny all inbound and outbound traffic related to the CISA Cyber Essentials requirements. This policy ensures that any instances attached to the default security group cannot communicate with the specified traffic sources defined by CISA Cyber Essentials.
Troubleshooting Steps:
If you encounter any issues related to this policy, follow the troubleshooting steps below:
- 1.Check if the default security group is correctly configured to deny inbound and outbound traffic.
- 2.Ensure that the specified traffic sources defined by CISA Cyber Essentials are correctly blocked by the security group.
- 3.Verify that the instances attached to the default security group are not able to communicate with the specified traffic sources.
Necessary Codes:
No specific codes are required for this policy.
Remediation Steps:
To remediate and enforce the VPC default security group rule for CISA Cyber Essentials, follow the step-by-step guide below:
- 1.Open the AWS Management Console and navigate to the Amazon VPC service.
- 2.From the navigation pane, select "Security Groups."
- 3.Search for the default security group used in your VPC.
- 4.Click on the default security group to open its configuration.
- 5.In the "Inbound Rules" tab, ensure that there are no rules allowing inbound traffic from the specified traffic sources defined by CISA Cyber Essentials. If any such rules exist, remove them.
- 6.In the "Outbound Rules" tab, ensure that there are no rules allowing outbound traffic to the specified traffic sources defined by CISA Cyber Essentials. If any such rules exist, remove them.
- 7.Save the changes to the default security group configuration.
CLI Command:
Alternatively, you can use the following CLI command to configure the VPC default security group rule for CISA Cyber Essentials:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --source-security-group <source-security-group-id>
Replace
<security-group-id><protocol><port>Note: Ensure that you have the necessary permissions to make changes to the default security group.
By following these steps, you can enforce the VPC default security group rule to restrict inbound and outbound traffic specific to the CISA Cyber Essentials requirements, maintaining a secure and compliant environment.