Profile Applicability:

  • Level 1

Description:

This control ensures that the default security group in every Amazon Virtual Private Cloud (VPC) is configured to restrict all inbound and outbound traffic. By default, AWS creates a security group for each VPC that allows unrestricted communication between resources associated with that group. Restricting this traffic helps ensure that no unauthorized access or inter-instance communication occurs unintentionally. 

Rationale:

The default security group is automatically applied to new resources if no other group is specified. If it allows open inbound or outbound access, it can lead to unintentional exposure of internal resources and lateral movement within the network. Restricting all traffic in the default security group enforces intentional access management, ensuring only explicitly defined and authorized communication paths exist. This aligns with the principle of least privilege and best practices outlined in frameworks such as CIS, ISO 27001, SOC 2, and NIST 800-53. 

Impact:

  • Positive Impact: Improves network segmentation and prevents unauthorized access or communication between EC2 instances by enforcing strict traffic control.

  • Negative Impact: Misconfiguration could block legitimate internal communication if not properly planned or if no alternative security group is assigned during resource provisioning. 

Default Value:

By default, the AWS default security group allows all inbound traffic from resources assigned to the same group. All outbound traffic to any destination (0.0.0.0/0).

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:RevokeSecurityGroupEgress. 

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Security Groups.
  3. Filter by Group Name = "default".
  4. Select each default security group across all VPCs.
  5. Review the inbound and outbound rules:

    • Inbound rules should have no entries.

    • Outbound rules should have no entries.

  6. If any default security group allows inbound or outbound traffic, the configuration is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the default security group for each VPC.

  3. Choose Inbound rules → Edit inbound rules and delete all existing rules.

  4. Choose Outbound rules → Edit outbound rules and delete all existing rules.

  5. Click Save rules after each modification.

  6. Ensure all EC2 instances and other services are attached to properly configured, purpose-specific security groups with only required access permissions.

Backout Plan:

Using AWS Console:

  1. If removing rules causes connectivity issues, re-add minimal necessary rules temporarily while assigning a more appropriate security group to affected resources.
  2. Implement monitoring to ensure future resources are not unintentionally launched with the default security group.


References: