AWS-VPC-Security-Group-CIDR-Overlaps

Severity : Low

Description: This control ensures that security group for the VPC have traffic rules configured each with non overlap source or destination CIDR. When editing the security group to attempt to restrict security group rules, it may happen that old wider CIDR rules are not remove. This will give unintended access to resources from network addresses not allowed to access the resources. By following AWS Well-Architected framework guidelines and best security practice to prevent malicious access to resources rule with the wider CIDR must be removed.

Remediation Steps:

Perform following to update rules of the default security group :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to VPC console.

3. In the navigation pane, Under Security select Security Groups.

4. From the list of security groups, Select the reported security group for the VPC.

5. Choose Actions, Edit inbound rules to remove a rule for inbound traffic.

6. Click Delete for the rule to delete.

7. Choose Actions, Edit outbound rules to remove a rule for outbound traffic.

8. Click Delete for the rule to delete.

9. Choose Preview changes, Confirm.

Important:

• Instances using the Security group may stop working when rules are updated for security group. So it's recommended to verify the CIDRs required to allow to access the resources.

Reference :

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#updating-security-group-rules