Profile Applicability: Level 2


Description:

A network service that you can use to establish boundaries around your AWS resources is  Virtual Private Cloud. It comes with a default security group whose initial settings deny all inbound traffic, Allows all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. 

The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. 


Rationale:

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will, in turn, reduce the exposure of those resources.


Impact:

Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many unknown ports. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach-free will reveal the current pattern of ports being used for each instance to communicate successfully. 


Default Value:

The following table describes the default rules for a default security group


Inbound

 

 

 

 

Type

Protocol

Port Range

Source

Description

All traffic

All

All

Security Group ID
(e.g.:- sg-dedc3c97 / default)

For the associated instances inbound traffic allow from network interfaces which are assigned to the same security group.

Outbound

 

 

 

 

Type

Protocol

Port Range

Destination

Description

All traffic

All

All

0.0.0.0/0

Allow all outbound IPv4

 

Audit:

  1. Log in to the AWS Management Console 
  2. Go to VPC service at https://console.aws.amazon.com/vpc/home
  3. Click on Security Groups in the left navigation pane
  4. Select the default security group 
  5. Click on the Inbound Rules tab to audit
  6. In this tab, you can see the default security contains All traffic which means it does not restrict any traffic
  7. Check same for outbound rule as well


Via CLI:

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='default'
  --output table
  --query 'SecurityGroups[*].IpPermissions[*].IpRanges'

Remediation:

Pre-Requisite:

  1. Identify AWS resources that exist within the default security group 

  2. Before implementation steps create a set of least privileged security groups for those resources

  3. Place the resources in those security groups

  4. Remove the resources noted in #1 from the default security group State
     

Implementation Steps:

Security Group Members Perform the following to implement the prescribed state: 

  1. Log in to the AWS Management Console 
  2. Go to VPC service at https://console.aws.amazon.com/vpc/home
  3. Click on Security Groups in the left navigation pane

  4. Select the default security group 
  5. Click on the Inbound Rules tab 

  6. Click the Edit Inbound Rules tab 

  7.   If any rule exists in inbound rules Delete the rule and ensure there is no rule 
  8. After deleting the rules click on Save rules button

  9. Click the Outbound Rules tab to remove the rules

  10.  Click on Edit outbound rules button to delete the rule 

  11. Click on Delete button and then click on Save rules button


Via CLI:


1. In the cli first we list out all security groups with an ingress rule of 0.0.0.0/0

aws ec2 describe-security-groups \
--filters Name=ip-permission.cidr,Values='0.0.0.0/0'\
 --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"


2. Remove the rule

aws ec2 revoke-security-group-ingress \
 --group-id <value> --protocol <protocol> --port 3389 --cidr 0.0.0.0/0


3. Optionally add a more restrictive ingress rule to the selected Security group

aws ec2 authorize-security-group-ingress --region <region> \
--group-name <group_name> --protocol <protocol> \
--port <port_no>--cidr <cidr_block>

Note:- All the above steps perform in all the regions



Backout Plan:

Follow the implementation steps 1 - 5 and then 

6. Click on Add rule button

7. In Type column select All traffic and click on save rule button



Reference:

  1. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-networksecurity.html 

  2.  https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

CIS Controls:

14.6 Protect Information through Access Control Lists 

    Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.