This rule ensures the default security group of every VPC restricts all traffic.
Rule | Ensure the default security group of every VPC restricts all traffic |
Framework | cis_v150 |
Severity | ✔ Critical |
Rule Description: Restrict all traffic in the default security group of every VPC to comply with CIS Amazon Web Services Foundations Benchmark (Version 1.5.0).
Description:
The default security group of every Virtual Private Cloud (VPC) must be configured to restrict all traffic. This rule is implemented to comply with the CIS Amazon Web Services Foundations Benchmark (Version 1.5.0) for enhanced security and control of inbound and outbound network traffic in AWS VPCs.
Troubleshooting:
If any instance in a VPC is unable to send or receive traffic after applying this rule, it may indicate that the default security group rules have not been configured correctly. To troubleshoot the issue, follow these steps:
Code:
To configure the default security group to restrict all traffic, you can use the AWS Command Line Interface (CLI) or AWS Management Console.
Using AWS CLI:
aws ec2 revoke-security-group-ingress --group-id <default-security-group-id> --protocol all --port all --source-security-group <default-security-group-id>
aws ec2 revoke-security-group-egress --group-id <default-security-group-id> --protocol all --port all --destination-security-group <default-security-group-id>
aws ec2 describe-security-groups --group-ids <default-security-group-id>
Using AWS Management Console:
Remediation Steps:
To remediate the non-compliant default security group(s) in the VPC, follow these step-by-step instructions:
By following these steps, you will successfully ensure that the default security group of every VPC restricts all traffic, thereby complying with the CIS Amazon Web Services Foundations Benchmark (Version 1.5.0) requirement.