AWS-SecurityGroup-Default-Security-Group-Restricts-All-Traffic

Severity: Medium

Description: This controls ensures that  the default security group for every VPC restricts all traffic. Default security group for VPC has initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. An instance is automatically assigned to this default security group, if no other security group is specified.  It is recommended that the default security group restrict all traffic.

Remediation Steps:

Perform following to modify the default security group for VPC:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Step 1 : Update Security Group Members

   1. Identify AWS resources that exist within the default security group

   2. Create a set of least privilege security groups for those resources

   3. Place the resources in those security groups

   4. Remove the resources noted in #1 from the default security group

3. Step 2 : Update Security Group State

4. Navigate to Security Group console, For each default security group, perform the following.

   1. Select the default security group

   2. Click the Inbound Rules tab

   3. Remove any inbound rules

   4. Click the Outbound Rules tab

   5. Remove any outbound rules

Important:

Reference:

• CIS reference: CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #5.3

• revoke-security-group-ingress — AWS CLI 1.36.5 Command Reference

• revoke-security-group-egress — AWS CLI 1.36.6 Command Reference