iCompaas Support

Profile Applicability:

Level 2

Description:

Each AWS VPC has a default security group that, by default:

• Denies all inbound traffic

• Allows all outbound traffic

• Allows unrestricted traffic between instances assigned to the same default security group

To enhance security, the default security group should be modified to restrict all inbound and outbound traffic.

Rationale:

Minimizes Attack Surface:

• Ensures least privilege access control for instances in the default security group.

• Reduces risk of misconfigurations leading to security exposure.

Prevents Accidental Network Exposure:

• Restricting all traffic in the default security group forces administrators to explicitly define security groups per workload.

Enhances Compliance & Auditing:

• Aligns with security best practices, SOC 2, ISO 27001, PCI-DSS, and CIS Benchmark.

• Helps audit network access efficiently.

Impact

Benefits:

• Prevents accidental security misconfigurations.
• Encourages use of least privilege security groups.
• Reduces risk of lateral movement inside the VPC.

Challenges:

• Existing workloads may depend on the default security group and could experience connectivity issues.
• Network traffic should be analyzed before making changes.

Default Value:

• By default, AWS denies inbound traffic but allows unrestricted outbound traffic for the default security group.

• New instances without a specific security group are automatically assigned to the default security group.

Pre-Requisites:

• AWS Account Access: IAM user with permissions to modify security groups.

Required IAM Policy:

{
  "Action": [
    "ec2:DescribeSecurityGroups",
    "ec2:RevokeSecurityGroupIngress",
    "ec2:RevokeSecurityGroupEgress",
    "ec2:DescribeInstances"
  ],
  "Effect": "Allow",
  "Resource": "*"
}

Remediation:

Test Plan:

Using AWS Console:

1. Login to AWS Console: AWS VPC Console.

2. In the left navigation pane, click Security Groups.

3. Identify default security groups for all VPCs.

4. Select a default security group → Click Inbound Rules:

   • Ensure NO inbound rules exist.

5. Select Outbound Rules:

   • Ensure NO outbound rules exist.

6. Repeat steps 3-5 for all VPCs in all AWS regions.

Using AWS CLI:

List all security groups and identify default security groups:

 aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='default'].[GroupId,VpcId]"

1. Check inbound rules for the default security groups:

    aws ec2 describe-security-groups --group-ids <security-group-id> --query "SecurityGroups[*].IpPermissions"

   
   

2. If any inbound rules exist, they must be removed.
3. Check outbound rules for the default security groups:
    aws ec2 describe-security-groups --group-ids <security-group-id> --query "SecurityGroups[*].IpPermissionsEgress"
4. If any outbound rules exist, they must be removed.

Implementation Steps:

Using AWS Console:

1. Login to AWS Console: AWS VPC Console.

2. In the left navigation pane, click Security Groups.

3. Select a default security group.

4. Click Inbound Rules → Remove all rules.

5. Click Outbound Rules → Remove all rules.

6. Repeat for all default security groups in all VPCs.

Using AWS CLI:

• Revoke all inbound rules for default security groups:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --ip-permissions "[]" --region <region>

aws ec2 revoke-security-group-egress --group-id <security-group-id> --ip-permissions "[]" --region <region>

• Verify security group rules are empty:

aws ec2 describe-security-groups --group-ids <security-group-id> --query "SecurityGroups[*].[IpPermissions, IpPermissionsEgress]"

• Repeat for all default security groups in all AWS regions.

Backout Plan:

If removing default security group rules causes issues:

Revert to a previous security group configuration using AWS CLI:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0