Rule: VPC default security group should prohibit traffic
This rule ensures VPC default security group blocks all inbound and outbound traffic.
| Rule | VPC default security group should prohibit inbound and outbound traffic |
| Framework | PCI v3.2.1 |
| Severity | ✔ Medium |
Rule Description:
The VPC default security group should be configured to deny all inbound and outbound traffic for PCI v3 compliance. This rule ensures that the default security group does not allow any unauthorized access or data leakage within the VPC.
Troubleshooting Steps:
- 1.
Verify the default security group configuration:
- Check if the default security group is associated with the VPC.
- Confirm if there are any existing inbound and outbound rules configured.
- 2.
Review the inbound and outbound rules:
- Check if any rules are allowing traffic that violates the PCI v3 compliance.
- Identify any rules that need to be modified or removed.
- 3.
Check for any overrides or conflicting rules:
- Verify if there are any Network ACLs (Access Control Lists) associated with the subnet(s) using the default security group.
- Ensure that the ACLs are not allowing traffic that violates PCI v3 compliance.
- 4.
Test the connectivity:
- Attempt to access the resources/services from both internal and external sources.
- Ensure that no unauthorized access or data leakage is possible.
- 5.
Verify logging and monitoring:
- Confirm that logging and monitoring mechanisms are in place to detect any security breaches or unexpected network traffic.
Necessary Code:
If the default security group allows inbound/outbound traffic, the following code can be used to modify the rules:
In AWS CLI:
aws ec2 authorize-security-group-ingress \ --group-id <default-security-group-id> \ --protocol -1 \ --source-security-group <source-security-group-id> \ --region <region-name>
aws ec2 authorize-security-group-egress \ --group-id <default-security-group-id> \ --protocol -1 \ --destination-security-group <destination-security-group-id> \ --region <region-name>
Replace
<default-security-group-id><source-security-group-id><destination-security-group-id><region-name>Remediation Steps:
To ensure the VPC default security group prohibits inbound and outbound traffic for PCI v3, follow these steps:
- 1.
Access the AWS Management Console and navigate to the Amazon VPC service.
- 2.
Select the default security group associated with the VPC.
- 3.
Review the existing inbound and outbound rules configured for the default security group.
- 4.
Remove any rules that allow unauthorized inbound or outbound traffic for PCI v3 compliance.
- 5.
If necessary, modify the rules to restrict access to authorized sources only.
- 6.
Save the changes to the default security group configuration.
- 7.
Test the connectivity to ensure that no unauthorized access or data leakage is allowed within the VPC.
- 8.
Implement logging and monitoring mechanisms to detect any security breaches or unexpected network traffic.
Note: It is recommended to create additional security groups with specific rules for authorized traffic if needed, rather than relying solely on the default security group.