Severity: Medium
Description: This controls ensures that the default security group for every VPC restricts all traffic. Default security group for VPC has initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. An instance is automatically assigned to this default security group, if no other security group is specified. It is recommended that the default security group restrict all traffic.
Remediation Steps:
Perform following to modify the default security group for VPC:
Login to the AWS Management Console at https://console.aws.amazon.com.
Step 1 : Update Security Group Members
Identify AWS resources that exist within the default security group
Create a set of least privilege security groups for those resources
Place the resources in those security groups
Remove the resources noted in #1 from the default security group
Step 2 : Update Security Group State
Navigate to Security Group console, For each default security group, perform the following.
Select the default security group
Click the Inbound Rules tab
Remove any inbound rules
Click the Outbound Rules tab
Remove any outbound rules
Important:
Reference:
CIS reference: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #5.3
https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html
https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-egress.html