Rule: VPC Default Security Group Restriction
Ensure VPC default security group restricts inbound and outbound traffic to enhance system protection.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description
The VPC default security group should not allow inbound and outbound traffic in accordance with the NIST 800-171 Revision 2 requirement. This rule ensures that a secure network perimeter is established to protect sensitive information and mitigate the risk of unauthorized access.
Troubleshooting Steps
If the VPC default security group allows inbound and outbound traffic, follow these troubleshooting steps to remediate the issue:
- 1.
Identify the VPC: Determine the VPC in which the default security group is present. In the AWS Management Console, navigate to the VPC Dashboard and view the list of VPCs.
- 2.
Assess Security Group Rules: Select the default security group associated with the VPC and review the inbound and outbound rules configured. Ensure that no rules permit inbound or outbound traffic.
- 3.
Check Network ACLs: Check if any network ACLs are associated with the VPC. Network ACLs can override security group rules and allow inbound or outbound traffic. Navigate to the VPC Dashboard, choose the VPC, and inspect the associated network ACLs to verify they do not permit such traffic.
- 4.
Confirm Route Table Entries: Ensure that the default route table for the VPC does not have any entries that allow traffic between subnets or external networks. Open the VPC Dashboard, select the VPC, and examine the route table to validate the entries.
- 5.
Review EC2 Instances: Check if any EC2 instances are associated with the VPC default security group. Verify that their network interfaces do not have any security group rules permitting inbound or outbound traffic. If needed, modify the security group rules associated with those instances.
Remediation Steps
To enforce the NIST 800-171 Revision 2 requirement and restrict inbound and outbound traffic in the VPC default security group, follow these steps:
- 1.
Open the AWS Management Console and navigate to the VPC Dashboard.
- 2.
Select the VPC that contains the default security group that needs to be modified.
- 3.
Click on "Security Groups" in the left-hand menu to view the list of security groups associated with the selected VPC.
- 4.
Locate the default security group and click on its ID to open its configuration.
- 5.
In the "Inbound Rules" tab, remove any rules that allow inbound traffic. If any legitimate inbound access is required, modify the rules to allow only specific IP addresses or ranges.
- 6.
Proceed to the "Outbound Rules" tab and remove any rules that permit outbound traffic. If necessary, create outbound rules that explicitly allow required traffic to specific IP addresses or ranges.
- 7.
If network ACLs are associated with the VPC, ensure they do not permit inbound or outbound traffic. Modify the ACL rules if needed to conform to the NIST 800-171 Revision 2 requirement.
- 8.
Verify that the default route table for the VPC does not contain any entries that allow traffic between subnets or external networks. Remove or modify any such entries that violate the security requirements.
- 9.
Finally, review any EC2 instances associated with the VPC default security group and ensure their network interfaces adhere to the amended security rules. Modify the security group rules associated with instances if necessary.
- 10.
Once all the changes are made, ensure to save the modified configuration.
By following these steps, the VPC default security group will enforce the NIST 800-171 Revision 2 requirement by disallowing inbound and outbound traffic, thus enhancing the overall security of the environment.