Rule: VPC Default Security Group Restriction
This rule ensures VPC default security group restricts all inbound and outbound traffic.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Medium |
VPC Default Security Group Restriction for GxP 21 CFR Part 11
Description:
The VPC (Virtual Private Cloud) default security group is a default network access control mechanism provided by Amazon Web Services (AWS) to control inbound and outbound traffic for resources within the VPC. However, for compliance with the GxP 21 CFR Part 11 regulations, which are specific to electronic records and electronic signatures in the pharmaceutical and life sciences industries, it is necessary to restrict inbound and outbound traffic in the default security group.
The GxP 21 CFR Part 11 regulations require stringent controls on electronic records and signatures to ensure data integrity, confidentiality, availability, and traceability. This includes control over network traffic to prevent unauthorized access or data breaches.
Policy:
The default security group associated with the VPC should have inbound and outbound traffic completely restricted to comply with the GxP 21 CFR Part 11 regulations. This restriction helps to safeguard sensitive data and prevent unauthorized access, ensuring compliance with regulatory requirements.
Troubleshooting Steps:
In case of issues or non-compliance with this policy, the following troubleshooting steps can be taken:
- 1.
Identify the VPC: Identify the VPC associated with the default security group that needs to be restricted.
- 2.
Review existing inbound and outbound rules: Check the current inbound and outbound rules associated with the default security group to identify any existing permission that violates the GxP 21 CFR Part 11 requirement.
- 3.
Adjust rules or create new rules: Modify or create new inbound and outbound rules to ensure that there is no explicit permission allowing traffic in either direction.
- 4.
Test connectivity: Once the security group rules have been adjusted, test the connectivity to ensure that the inbound and outbound traffic has been successfully restricted as per the GxP 21 CFR Part 11 regulations.
Necessary Codes:
No specific code is required to implement this policy. The necessary steps involve modifying or creating new security group rules.
Step-by-Step Guide for Remediation:
- 1.Log in to the AWS Management Console.
- 2.Open the Amazon VPC service.
- 3.In the navigation pane, click on "Security Groups."
- 4.Locate the default security group associated with the VPC that needs to be restricted.
- 5.Select the security group and click on the "Inbound Rules" or "Outbound Rules" tab, depending on whether you want to restrict inbound or outbound traffic.
- 6.Review the existing rules and identify any permissions that violate the GxP 21 CFR Part 11 regulations.
- 7.Remove any existing rules that allow inbound or outbound traffic that is not compliant with the regulation.
- 8.Add new rules to explicitly deny all inbound and outbound traffic.
- 9.Save the changes to update the security group.
- 10.Test the connectivity to ensure that inbound and outbound traffic is restricted as required.
- 11.Document the changes made to the security group for future reference and audit purposes.
Following these steps will enforce the necessary restrictions on the VPC default security group to align with the GxP 21 CFR Part 11 regulations, ensuring compliance and data security.