Rule: VPC Default Security Group Restriction
This rule ensures VPC default security group does not allow inbound and outbound traffic.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
The VPC default security group should have inbound and outbound traffic disabled as per NIST 800-53 Revision 5 guidelines. This ensures that the default security group does not allow any unauthorized network traffic to enter or leave the VPC, enhancing the overall security posture of the environment.
Remediation Steps:
- 1.Login to the AWS Management Console.
- 2.Navigate to the Amazon VPC service.
Disabling Inbound Traffic:
- 1.In the navigation pane, click on "Security Groups".
- 2.Locate the default security group for the desired VPC.
- 3.Select the default security group and click on the "Inbound Rules" tab.
- 4.Review the inbound rules and ensure that there are no rules allowing inbound traffic.
- 5.If any rules exist, select them and click on the "Delete" button to remove them.
- 6.Verify that the inbound rules are completely empty, disallowing any inbound traffic.
Disabling Outbound Traffic:
- 1.Select the default security group again and click on the "Outbound Rules" tab.
- 2.Review the outbound rules and ensure that there are no rules allowing outbound traffic.
- 3.If any rules exist, select them and click on the "Delete" button to remove them.
- 4.Verify that the outbound rules are completely empty, disallowing any outbound traffic.
Troubleshooting Steps:
If the default security group rules are not properly configured or disabled, it may cause issues with connectivity or prevent necessary communication within the VPC. Here are some troubleshooting steps:
- 1.Check the default security group rules:
- Ensure that there are no inbound rules allowing unwanted traffic.
- Ensure that there are no outbound rules allowing unwanted traffic.
- 2.Verify the VPC subnet configurations:
- Check if the associated subnets are properly mapped to the default security group.
- Ensure that the subnet route table allows necessary traffic.
- 3.Review the network ACLs (if applicable):
- Check if any network ACLs are restricting traffic.
- Verify if the default security group is correctly associated with the subnet in the network ACL.
- 4.Inspect the instance configurations:
- Verify the security group associations of the EC2 instances in the VPC.
- Ensure that the instances are associated with the desired default security group.
- 5.Check for any other custom security groups:
- Review if any custom security groups are overriding the default security group settings.
If the above troubleshooting steps do not resolve the connectivity issues, consult AWS support or consider seeking assistance from a networking expert.
Code Example:
No specific code examples are required for this rule as it involves using the AWS Management Console to modify security group configurations.