Rule: VPC Default Security Group Traffic Restrictions
This rule ensures VPC default security group does not allow unnecessary inbound and outbound traffic.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
The VPC default security group should not allow inbound and outbound traffic for CISA Cyber Essentials.
Policy Explanation:
CISA (Cybersecurity and Infrastructure Security Agency) Cyber Essentials is a set of recommendations to enhance the cybersecurity posture of an organization. One of the key recommendations is to restrict inbound and outbound traffic to minimize potential attack vectors. This policy enforces the restriction in the VPC default security group to align with CISA Cyber Essentials guidelines.
Troubleshooting Steps:
If there are issues related to inbound and outbound traffic in the VPC default security group for CISA Cyber Essentials, follow these troubleshooting steps:
- 1.
Verify Security Group Rules: Check the inbound and outbound rules defined for the VPC default security group. Ensure that there are no rules allowing traffic that conflict with CISA Cyber Essentials recommendations.
- 2.
Check Attached Network Interfaces: Ensure that all attached network interfaces within the VPC are abiding by the desired inbound and outbound traffic restrictions mentioned in the policy.
- 3.
Validate Subnet ACLs: Confirm that the associated subnet ACL (Access Control List) rules are not allowing traffic that contradicts the policy. Subnet ACLs can override security group settings, so they should also be reviewed.
- 4.
Review VPC Flow Logs: Analyze the VPC Flow Logs to identify any unauthorized or unexpected inbound/outbound traffic that violates the CISA Cyber Essentials policy.
- 5.
Verify EC2 Instance Configuration: Check the configuration of any EC2 instances within the VPC. Ensure that their security groups align with the VPC default security group restrictions.
- 6.
Consult AWS Documentation: If troubleshooting steps above do not resolve the issue, refer to AWS documentation or reach out to AWS support for further assistance.
Necessary Code:
There is no specific code required for this policy as it involves modifying the VPC default security group rules and validating the configuration.
Remediation Steps:
Follow these steps to remediate the VPC default security group to disallow inbound and outbound traffic for CISA Cyber Essentials:
- 1.Identify the VPC: Determine the VPC ID in which the default security group is defined. This information can be obtained from AWS Management Console or by using the AWS CLI command below:
aws ec2 describe-security-groups --output table
- 1.Review Inbound Rules: List all the inbound rules associated with the VPC default security group:
aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[0].IpPermissions[]' --output table
- 1.Remove Inbound Rules: Remove any inbound rules that allow traffic conflicting with CISA Cyber Essentials by using the following command:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --cidr <source-cidr>
Replace
<security-group-id><protocol><port><source-cidr>- 1.Review Outbound Rules: List all the outbound rules associated with the VPC default security group:
aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[0].IpPermissionsEgress[]' --output table
- 1.Remove Outbound Rules: Remove any outbound rules that allow traffic conflicting with CISA Cyber Essentials by using the following command:
aws ec2 revoke-security-group-egress --group-id <security-group-id> --protocol <protocol> --port <port> --cidr <destination-cidr>
Replace
<security-group-id><protocol><port><destination-cidr>- 1.
Verify Changes: Validate that the inbound and outbound rules have been updated correctly by checking the VPC default security group rules again.
- 2.
Repeat for All Relevant VPCs: If you have multiple VPCs, repeat the above steps for each relevant VPC to ensure compliance with the CISA Cyber Essentials policy.
Note: Care should be taken before making changes to the default security group as it may impact other resources in the VPC. It is recommended to create custom security groups for specific resources whenever possible.