AWS-EC2-Default-Security-Group

Severity : Critical

Description: This control ensures that default security group for the VPC have block all traffic rules configured. The default security group is automatically used for resources launched without custom/defined security group. The default security group has default rules to allow inbound traffic from network interfaces and instances with the same security group. Also it has outbound default rules to allow all IPv4 and IPv6 traffic. For this reason, the default rules should be to block all traffic to prevent an accidental exposure.

Remediation Steps:

Perform following to update rules of the default security group :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to EC2 console.

3. In the navigation pane, choose Security Groups.

4. Select the default security group for the VPC reported.

5. Choose Actions, Edit inbound rules to update a rule for inbound traffic.

6. Update the default rule from Allow to Deny.

7. Choose Actions, Edit outbound rules to update a rule for outbound traffic.

8. Update the default rule from Allow to Deny.

9. Choose Preview changes, Confirm

Important:

• Instances using the Default Security group may stop working when rules are updated for default security group. So it's recommended to attach proper security group to those instances.

Reference :

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html#default-security-group

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html#updating-security-group-rules