Profile Applicability:

  • Level 1

Description:
When launching an EC2 instance, a custom security group should always be assigned to ensure proper security controls. By default, EC2 instances are assigned the default security group, which may have relaxed rules and could potentially expose the instance to unnecessary risk. This policy ensures that no EC2 instance is using the default security group, which might allow unrestricted access to instances, thereby increasing the attack surface.

Rationale:
 The default security group in AWS allows unrestricted access unless specifically modified. If EC2 instances are launched with the default security group:

  • They may inherit open access rules (e.g., all inbound traffic is allowed from other instances in the group).

  • This increases the risk of unauthorized access or data breaches, as the default security group may not have the necessary restrictions for production environments. By ensuring that custom security groups are used, EC2 instances can have more granular, appropriate security settings.

Impact:
 Pros:

  • Improved security posture by ensuring EC2 instances are associated with custom security groups that enforce least-privilege access controls.

  • Reduced attack surface by avoiding the use of default security groups that might have relaxed rules.

  • Better network segmentation and access control, allowing EC2 instances to have more secure configurations based on their function.

Cons:

  • Increased administrative overhead to ensure that all EC2 instances are launched with appropriate custom security groups.

  • Risk of misconfiguration if custom security groups are not configured correctly, potentially leading to access issues.

Default Value:
 By default, EC2 instances are associated with the default security group unless a custom security group is specified. This can lead to security risks if the default security group is used inappropriately.

Pre-requisites:

  • AWS IAM permissions to manage EC2 instances and security groups:
     ec2:DescribeInstances, ec2:DescribeSecurityGroups, ec2:ModifyInstanceAttribute, ec2:ModifySecurityGroupRules

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. In the left pane, click Instances, then click Instances from the dropdown.

  3. For each EC2 instance, click on the instance name to view its details.

  4. In the Description tab, review the Security Groups section.

  5. If the default security group is listed, this instance is using the default security group, which should be updated.

  6. Repeat steps 3–5 for all instances and check across other AWS regions where EC2 instances may exist.

Using AWS CLI:

  1. Run the following command to list EC2 instances using the default security group:

    aws ec2 describe-instances --region <region> --output json --filters "Name=instance.group-name,Values=default" --query "Reservations[*].Instances[*].InstanceId"

  2. Review the instance IDs that appear in the output to identify which EC2 instances are using the default security group.

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 Console at AWS EC2 Console.

  2. In the left pane, click Network & Security, then click Security Groups.

  3. Select the default security group that you want to review.

  4. Click Actions, then View details.

  5. Click on the Inbound rules tab, then click Edit inbound rules.

  6. Click Delete to remove all the inbound rules.

  7. Click Save rules to apply the changes.

  8. Once the default security group has been cleared of rules, repeat this process for any other default security groups listed.

Using AWS CLI:

  1. To modify EC2 instances that are using the default security group, first, remove the default security group from the instance:

    aws ec2 modify-instance-attribute --instance-id <instance-id> --groups <custom-security-group-id>

  2. This will replace the default security group with a custom security group.

Backout Plan:

Using AWS Console:

  1. If removing the default security group causes issues, you can always reassign the default security group to the instance by selecting it from the list of security groups and applying it to the instance.

  2. Log in to the EC2 Console, select the instance, and go to Actions > Security > Change security groups.

  3. Reassign the default security group if needed.

Using AWS CLI:

  1. To revert to using the default security group for an EC2 instance, run the following command:

    aws ec2 modify-instance-attribute --instance-id <instance-id> --groups <default-security-group-id>

References:

  1. AWS EC2: Security Groups

  2. AWS CLI: describe-instances

  3. AWS CLI: modify-instance-attribute

CIS Controls:

Version

Control ID

Control Description

v8

3.3

Configure data access control lists (ACLs), ensuring that EC2 instances are not associated with the default security group, but instead with a custom security group that enforces least-privilege access.

v7

14.6

Protect information by ensuring that EC2 instances are not associated with the default security group, which may expose resources to unauthorized access.