Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure the Default Security Group Restricts All Traffic Rule

This rule ensures the default security group of every VPC restricts all traffic.

RuleEnsure the default security group of every VPC restricts all traffic
Frameworkcis_v150
Severity
Critical

Rule Description: Restrict all traffic in the default security group of every VPC to comply with CIS Amazon Web Services Foundations Benchmark (Version 1.5.0).

Description:

The default security group of every Virtual Private Cloud (VPC) must be configured to restrict all traffic. This rule is implemented to comply with the CIS Amazon Web Services Foundations Benchmark (Version 1.5.0) for enhanced security and control of inbound and outbound network traffic in AWS VPCs.

Troubleshooting:

If any instance in a VPC is unable to send or receive traffic after applying this rule, it may indicate that the default security group rules have not been configured correctly. To troubleshoot the issue, follow these steps:

  1. 1.
    Verify that the default security group is associated with the affected VPC.
  2. 2.
    Check the inbound and outbound rules of the default security group to ensure that they comply with the CIS benchmark's requirement of restricting all traffic.
  3. 3.
    Confirm that the appropriate protocols, ports, and IP ranges are allowed, if required.
  4. 4.
    If necessary, update the default security group rules to allow specific inbound and outbound traffic that is required for the instances in the VPC.

Code:

To configure the default security group to restrict all traffic, you can use the AWS Command Line Interface (CLI) or AWS Management Console.

Using AWS CLI:

  1. 1.
    Open a terminal or command prompt.
  2. 2.
    Ensure you have the AWS CLI installed and configured with the necessary credentials.
  3. 3.
    Run the following command to modify the default security group's inbound rules to deny all traffic:
aws ec2 revoke-security-group-ingress --group-id <default-security-group-id> --protocol all --port all --source-security-group <default-security-group-id>
  1. 1.
    Run the following command to modify the default security group's outbound rules to deny all traffic:
aws ec2 revoke-security-group-egress --group-id <default-security-group-id> --protocol all --port all --destination-security-group <default-security-group-id>
  1. 1.
    Verify that the rules have been updated by running the following command:
aws ec2 describe-security-groups --group-ids <default-security-group-id>

Using AWS Management Console:

  1. 1.
    Open the AWS Management Console and navigate to the EC2 service.
  2. 2.
    Click on "Security Groups" in the left navigation pane.
  3. 3.
    Find the default security group associated with the desired VPC.
  4. 4.
    Select the default security group and click on the "Inbound Rules" tab.
  5. 5.
    Edit the inbound rules by removing all existing rules or modifying them to deny all traffic.
  6. 6.
    Click on the "Outbound Rules" tab.
  7. 7.
    Edit the outbound rules by removing all existing rules or modifying them to deny all traffic.
  8. 8.
    Save the changes and verify that the rules have been updated.

Remediation Steps:

To remediate the non-compliant default security group(s) in the VPC, follow these step-by-step instructions:

  1. 1.
    Identify the VPC(s) with non-compliant default security group(s).
  2. 2.
    Access the AWS Management Console or the AWS CLI.
  3. 3.
    Navigate to the EC2 service.
  4. 4.
    Select the default security group associated with the non-compliant VPC.
  5. 5.
    Update the inbound rules to deny all traffic.
  6. 6.
    Update the outbound rules to deny all traffic.
  7. 7.
    Save the changes.
  8. 8.
    Verify that the default security group now restricts all traffic by reviewing its rules.
  9. 9.
    Repeat the remediation steps for any other non-compliant default security groups in other VPCs.

By following these steps, you will successfully ensure that the default security group of every VPC restricts all traffic, thereby complying with the CIS Amazon Web Services Foundations Benchmark (Version 1.5.0) requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now