AWS Default Security Group Does Not Restrict All Traffic

This policy identifies the default security group which does not restrict all inbound and outbound traffic. A VPC comes with a default security group whose initial configuration deny all inbound traffic from internet and allow all outbound traffic. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. As a result, the instance may accidentally send outbound traffic.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

AWS Default Security Group does not restrict all traffic.
JSON Query:
$.resource[*].aws_default_security_group exists and ($.resource[*].aws_default_security_group[*].*[*].ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].ingress[*].ipv6_cidr_blocks[*] contains ::/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_default_security_group[*].*[*].egress[*].ipv6_cidr_blocks[*] contains ::/0)
Recommendation:
Recommended solution for AWS Default Security restricting all traffic.
It is recommended that AWS default Security Group should restrict all traffic. Please make sure that the cidr attribute under egress and ingress blocks is not set to 0.0.0.0/0.
For example:
aws_default_security_group": [ { "<default_security_group_name>": [ { "egress": [ { "cidr_blocks": [ "0.0.0.0/1" ], "from_port": 0, "protocol": "-1", "to_port": 0 } ], "ingress": [ { "cidr_blocks": [ "0.0.0.0/0" ], "from_port": 0, "protocol": -1, "self": true, "to_port": 0 } ], "vpc_id": "${aws_vpc.mainvpc.id}" } ] } ]

Run Rule Recommendation

  1. Sign into the AWS console.
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.
  3. navigate to the 'VPC' service.
  4. For each region, Click on 'Security Groups' specific to the alert.
  5. Click on 'Inbound Rules' and remove the row with the IP 'Source' value as 0.0.0.0/0.
  6. Click on the 'Outbound Rules' and remove the row which has the IP 'Destination' value as 0.0.0.0/0.

Compliance

There are 11 standards that are applicable to this policy:
  • ISO 27001:2013
  • NIST CSF
  • GDPR
  • CIS v1.2.0 (AWS)
  • CSA CCM v3.0.1
  • SOC 2
  • PIPEDA
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4

Recommended For You