Rule: VPC Default Security Group Restrictions
Ensure VPC default security group restricts all traffic for compliance.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The default security group in a Virtual Private Cloud (VPC) should not allow inbound and outbound traffic for the FedRAMP Low Revision 4 compliance level. This rule ensures that the default security group does not have any open network ports or communication channels that could potentially compromise the security of the VPC resources.
Troubleshooting Steps:
If the default security group allows inbound or outbound traffic for the FedRAMP Low Revision 4 compliance level, follow these troubleshooting steps to remediate the issue:
- 1.
Identify the VPC associated with the default security group by navigating to the Amazon VPC management console.
- 2.
Select the default security group and review its inbound and outbound rules.
- 3.
If there are any specific rules allowing inbound or outbound traffic for the FedRAMP Low Revision 4 compliance level, note them down for removal.
- 4.
Determine the resources associated with the default security group that require inbound or outbound communication.
- 5.
If necessary, create a new security group with the appropriate rules to allow communication for the specific resources.
- 6.
Update the security group associated with the resources to use the new security group created in the previous step.
- 7.
Once the affected resources have been updated, remove the specific inbound and outbound rules from the default security group that allowed communication for the FedRAMP Low Revision 4 compliance level.
- 8.
Confirm that the default security group no longer allows any inbound or outbound traffic for the FedRAMP Low Revision 4 compliance level.
Necessary Code:
No specific code is required for this rule, as it involves configuring and modifying security groups through the AWS Management Console or CLI.
Step-by-step Guide for Remediation:
To remediate the default security group allowing inbound and outbound traffic for the FedRAMP Low Revision 4 compliance level, follow these step-by-step instructions:
- 1.
Log in to the AWS Management Console and navigate to the Amazon VPC service.
- 2.
Select the VPC associated with the default security group.
- 3.
Identify the default security group and click on its ID to access the detailed configuration.
- 4.
Review the inbound and outbound rules listed for the default security group.
- 5.
If there are any rules allowing inbound or outbound traffic for the FedRAMP Low Revision 4 compliance level, note them down for removal.
- 6.
Determine the specific resources associated with the default security group that require inbound or outbound communication.
- 7.
Create a new security group with the necessary rules to allow communication for the identified resources.
- 8.
Update the security group associated with the resources to use the newly created security group from the previous step.
- 9.
Once all the affected resources have been updated, remove the specific inbound and outbound rules from the default security group that allowed communication for the FedRAMP Low Revision 4 compliance level.
- 10.
Double-check the default security group's configuration to ensure it no longer allows any inbound or outbound traffic for the FedRAMP Low Revision 4 compliance level.
- 11.
Test the connectivity of the resources associated with the new security group to ensure they can communicate as expected.
Following these steps will ensure that the default security group in the VPC does not allow any inbound or outbound traffic for the FedRAMP Low Revision 4 compliance level, helping to maintain a secure environment.