Profile Applicability

  • Level 1

Description:

The default security group of each VPC is created automatically when the VPC is provisioned. By default, this security group allows inbound traffic from any source and outbound traffic to any destination. This can pose a security risk, as it might allow unnecessary traffic to flow to and from instances that are assigned to the default security group.

It is essential to modify the default security group to restrict all traffic by default, only allowing explicitly authorized traffic. This helps in reducing the potential attack surface and ensures that security groups are configured with the principle of least privilege.

Rationale:

Restricting all traffic by default in the security group ensures:

  • Increased security: By restricting all inbound and outbound traffic, you can enforce a more controlled and minimalistic approach to network access.

  • Best practices: Aligns with the principle of least privilege by ensuring that only the necessary ports are open for legitimate communication.

  • Reduced attack surface: Minimizes the potential for unauthorized access by restricting traffic to only explicitly allowed sources and destinations.

  • Compliance: Helps meet regulatory standards that require restrictive access to cloud resources, reducing the risk of accidental exposure or attacks.

Without this configuration, the default security group may inadvertently allow excessive traffic, potentially exposing instances to malicious actors or unauthorized access.

Impact:

Failure to restrict all traffic in the default security group can result in:

  • Excessive exposure of instances to unauthorized or unwanted traffic, increasing the risk of compromise.

  • Non-compliance with security best practices and regulatory requirements that demand strict access controls.

  • Increased attack surface due to misconfigured default security settings.

By ensuring the default security group restricts all traffic, the VPC is secured against unnecessary exposure, reducing risks of data breaches and unauthorized access.

Default Value:

By default, AWS creates a security group for each VPC that allows:

  • All inbound traffic from any source.

  • All outbound traffic to any destination.

This default configuration should be modified to restrict all traffic unless explicitly allowed.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroupRules

    • ec2:CreateSecurityGroup

  • The default security group should be reviewed and modified to restrict traffic.

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the VPC Console.

  2. In the Security Groups section, select the default security group for each VPC.

  3. Check the Inbound and Outbound rules. By default, there should be rules allowing all inbound and outbound traffic.

  4. Modify the Inbound and Outbound rules to restrict all traffic, allowing only the necessary ports.

Using AWS CLI:

aws ec2 describe-security-groups --group-names default --query "SecurityGroups[0].IpPermissions" --output table

To modify the inbound rules to restrict all traffic:

aws ec2 revoke-security-group-ingress --group-name default --protocol all --port all --cidr 0.0.0.0/0

To modify the outbound rules to restrict all traffic:

aws ec2 revoke-security-group-egress --group-name default --protocol all --port all --cidr 0.0.0.0/0
Implementation Plan:

Using AWS Console:

  1. Modify the default security group to restrict traffic:

    • Go to the VPC Console.

    • Under Security Groups, select the default security group.

    • In the Inbound rules tab, remove all rules that allow unrestricted inbound traffic.

    • In the Outbound rules tab, remove all rules that allow unrestricted outbound traffic.

    • Add specific rules to allow only the required inbound and outbound traffic for your environment.

  2. Verify the changes:

    • Ensure that all inbound and outbound traffic is restricted by default, allowing only traffic that is explicitly permitted.

Using AWS CLI:

  1. Revoke unrestricted inbound and outbound traffic:

aws ec2 revoke-security-group-ingress --group-name default --protocol all --port all --cidr 0.0.0.0/0
aws ec2 revoke-security-group-egress --group-name default --protocol all --port all --cidr 0.0.0.0/0

  1. Add specific allowed rules for necessary traffic:

aws ec2 authorize-security-group-ingress --group-name default --protocol tcp --port 80 --cidr 0.0.0.0/0

  1. Verify the security group rules:

aws ec2 describe-security-groups --group-names default --query "SecurityGroups[0].IpPermissions" --output table

Backout Plan:

Using AWS Console:

  1. If the changes cause connectivity issues:

    • Go to the VPC Console.

    • Revert the inbound and outbound rules to their original state, allowing all traffic.

  2. Re-enable necessary inbound/outbound traffic:

    • Add back the necessary rules for communication, ensuring that only specific ports and protocols are open.

Using AWS CLI:

  1. Revert to allowing all traffic:

aws ec2 authorize-security-group-ingress --group-name default --protocol all --port all --cidr 0.0.0.0/0
aws ec2 authorize-security-group-egress --group-name default --protocol all --port all --cidr 0.0.0.0/0

  1. Verify connectivity after restoring the default configuration:

aws ec2 describe-security-groups --group-names default --query "SecurityGroups[0].IpPermissions" --output table

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services