Profile Applicability: Level 2


Description:

A network service that you can use to establish boundaries around your AWS resources is  Virtual Private Cloud. It comes with a default security group whose initial settings deny all inbound traffic, Allows all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. 

The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation. 


Rationale:

Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will, in turn, reduce the exposure of those resources.


Impact:

Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many unknown ports. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach-free will reveal the current pattern of ports being used for each instance to communicate successfully. 


Default Value:


VPC automatically comes with a default security group. If you don't specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections. 

The following table describes the default rules for a default security group


Inbound

 

 

 

 

Type

Protocol

Port Range

Source

Description

All traffic

All

All

Security Group ID
(e.g.:- sg-dedc3c97 / default)

For the associated instances inbound traffic allow from network interfaces which are assigned to the same security group.

Outbound

 

 

 

 

Type

Protocol

Port Range

Destination

Description

All traffic

All

All

0.0.0.0/0

Allow all outbound IPv4

 


Pre-Requisite:

  1. Identify AWS resources that exist within the default security group 
  2. Login as administrator or IAM user with the required permissions


Remediation:

Test Plan:


Step 1: Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home


Step 2: Click on Security Groups in the left navigation pane. 


 


Step 3: Select the default security group  



Step 4: Click on the Inbound Rules tab to audit


Step 5: In this tab, you can see the default security contains All traffic which means it does not restrict any resources.



Using AWS CLI :


The following command describes a security group 

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='default'
  --output table
  --query 'SecurityGroups[*].IpPermissions[*].IpRanges'
 

Remediation:

Implementation Steps:

Step 1: Log in to the AWS Management Console and navigate to the VPC Console at https://console.aws.amazon.com/vpc/home


Step 2: Click on Security Groups in the left navigation pane.


Step 3: Select the default security group 


Step 4: Click on the Inbound Rules tab 


Step 5: Click the Edit Inbound Rules tab



Step 6: Changing the rule in a way that the security group will only allow specific traffic



Step 7: After changing the rules click on the Save rules button


Step 8:  We can also apply changes to the outbound rule, click the Outbound Rules tab to change the rules.



Step 9: Click on the Edit outbound rules button to change the rule.


Step 10: Change the rules as per requirement


Step 11: Choose Save rules to apply the configuration changes.


Using AWS CLI:


This command is used to list out all security groups with an ingress rule of 0.0.0.0/0



Note:- All the above steps perform in all the regions



Backout Plan:


Step 1: Log in to the AWS Management Console and navigate to the VPC Console at https://console.aws.amazon.com/vpc/home 


Step 2: Click on Security Groups in the left navigation pane.


Step 3: Select the default security group 


Step 4: Click on the Inbound Rules tab 


Step 5: Click the Edit Inbound Rules tab


Step 6: Click on Add rule button



Step 7: In the Type, column select All traffic and click on the Save rule button



CLI Commands


it will add the rules to a security group


Reference:

  1. http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html

  2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html