Rule: VPC Default Security Group Restriction
This rule ensures VPC default security group restricts inbound and outbound traffic.
| Rule | VPC default security group should not allow inbound and outbound traffic |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Medium |
Rule Description:
The VPC default security group should not allow any inbound or outbound traffic as per the NIST 800-53 Revision 5 security guidelines.
This rule ensures that the default security group, which is automatically created for every Amazon Virtual Private Cloud (VPC), is configured to restrict all network traffic, minimizing the risk of unauthorized access or data exfiltration.
Troubleshooting Steps:
If you find that the VPC default security group allows inbound or outbound traffic, you can follow these troubleshooting steps to remediate the issue:
- 1.Identify the default security group associated with your VPC.
- 2.Review the inbound and outbound rules of the default security group.
- 3.Remove any existing rules that allow inbound or outbound traffic.
- 4.Ensure that no exceptions are added that would allow unintended network access.
- 5.Verify that the default security group now restricts all inbound and outbound traffic.
Required Codes:
To remediate the VPC default security group to disallow inbound and outbound traffic, you may need to use the following AWS Command Line Interface (CLI) commands:
- 1.To identify the default security group associated with your VPC:
aws ec2 describe-security-groups --query 'SecurityGroups[?GroupName==`default`]'
- 1.To remove inbound rules allowing traffic (replace
with the actual ID of the default security group):group-id
aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol -1 --cidr 0.0.0.0/0
- 1.To remove outbound rules allowing traffic (replace
with the actual ID of the default security group):group-id
aws ec2 revoke-security-group-egress --group-id <group-id> --protocol -1 --cidr 0.0.0.0/0
Step-by-Step Guide for Remediation:
- 1.
Open the AWS CLI or AWS Management Console.
- 2.
Identify the default security group associated with your VPC:
- Run the CLI command mentioned above:
aws ec2 describe-security-groups --query 'SecurityGroups[?GroupName==`default`]' - Note down the security group ID for further steps.
- 3.
Review the inbound rules:
- Using the AWS Management Console:
- Go to the Amazon VPC dashboard.
- Navigate to the Security Groups section.
- Find the security group with the ID noted in the previous step.
- Verify that there are no inbound rules allowing traffic from any source IP or range. If found, delete those rules.
- Using the AWS CLI:
- Run the CLI command to remove inbound rules allowing traffic (replace
with the actual ID of the default security group):<group-id>
aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol -1 --cidr 0.0.0.0/0
- 4.
Review the outbound rules:
- Using the AWS Management Console:
- Follow the same steps as in the previous point, but focus on the outbound rules.
- Verify that there are no outbound rules allowing traffic to any destination IP or range. If found, delete those rules.
- Using the AWS CLI:
- Run the CLI command to remove outbound rules allowing traffic (replace
with the actual ID of the default security group):<group-id>
aws ec2 revoke-security-group-egress --group-id <group-id> --protocol -1 --cidr 0.0.0.0/0
- 5.
Verify the changes:
- Double-check the inbound and outbound rules of the default security group using the AWS Management Console or CLI to ensure all rules allowing traffic have been removed.
- Confirm that the default security group now restricts all inbound and outbound traffic.
By following these steps and removing any inbound and outbound rules allowing traffic, you will ensure compliance with the NIST 800-53 Revision 5 security guidelines for the VPC default security group.