Rule: VPC default security group should not allow inbound and outbound traffic
This rule ensures that the VPC default security group restricts all traffic to enhance security measures.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description
The VPC default security group should not allow inbound and outbound traffic for the FedRAMP Low Revision 4 security level.
Rule Explanation
The default security group in a VPC controls the network traffic for instances that are not associated with any specific security group. It is important to restrict inbound and outbound traffic in the default security group according to defined security standards. In this case, the rule specifies that the default security group should not allow any traffic for the FedRAMP Low Revision 4 security level.
Troubleshooting Steps
If the default security group is not properly configured to adhere to the rule, you may encounter issues while trying to limit inbound and outbound traffic for the specified security level. Here are some troubleshooting steps to ensure compliance:
- 1.
Verify default security group configuration: Check the current rules and settings of the default security group associated with your VPC. Ensure that there are no rules allowing inbound or outbound traffic for the FedRAMP Low Revision 4 security level.
- 2.
Review associated instances: Identify any instances that are associated with the default security group. Make sure that their inbound and outbound traffic is either explicitly denied or controlled using other security groups.
- 3.
Check network ACLs: Network ACLs (Access Control Lists) can override security group rules. Ensure that the associated network ACLs do not allow traffic for the specified security level.
- 4.
Test inbound and outbound connectivity: Validate that inbound and outbound traffic is correctly restricted for the FedRAMP Low Revision 4 security level by attempting to establish connections to and from instances associated with the default security group.
Remediation Steps
To remediate this issue and ensure that the default security group does not allow inbound and outbound traffic for the FedRAMP Low Revision 4 security level, follow these step-by-step instructions:
- 1.
Identify the default security group associated with your VPC:
- Open the Amazon VPC console.
- Navigate to the "Security Groups" section.
- Locate the default security group.
- 2.
Configure inbound traffic rules:
- Select the default security group.
- In the "Inbound Rules" tab, review the existing rules.
- If there are any rules allowing inbound traffic for the FedRAMP Low Revision 4 security level, edit or remove them.
- Add any necessary restrictions or deny rules to block inbound traffic for the specified security level.
- 3.
Configure outbound traffic rules:
- In the "Outbound Rules" tab of the default security group, review the existing rules.
- If there are any rules allowing outbound traffic for the FedRAMP Low Revision 4 security level, edit or remove them.
- Add any necessary restrictions or deny rules to prevent outbound traffic for the specified security level.
- 4.
Save the security group configuration changes.
- 5.
Verify the updated configuration:
- Test inbound and outbound connectivity for instances associated with the default security group.
- Confirm that traffic for the FedRAMP Low Revision 4 security level is denied.
By following these steps, you can ensure that the default security group does not allow inbound and outbound traffic for the specified security level, thus maintaining compliance with the rule.