Open menu
-->

Unrestricted Default Security Groups

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your AWS EC2 default security groups restrict all inbound public traffic in order to enforce AWS users (EC2 administrators, resource managers, etc) to create custom security groups that exercise the rule of least privilege instead of using the default security groups.

This rule resolution is part of the Cloud Conformity Base Auditing Package

Because a lot of AWS users have the tendency to attach the default security group to their EC2 instances during the launch process, any default security groups configured to allow unrestricted access can increase opportunities for malicious activity such as hacking, denial-of-service attacks or brute-force attacks.

Audit

To determine if your EC2 default security groups allow public inbound traffic, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Click inside the attributes filter box located under the dashboard top menu, choose Group Name from the dropdown list and enter default to return the EC2 default security group.

05 Select the security group returned as result.

06 Select the Inbound tab from the dashboard bottom panel.

07 Verify the value available in the Source column for any inbound/ingress rules defined. If one or more rules have the source set to Anywhere (0.0.0.0/0 or ::/0), the selected default security group allows public inbound traffic, therefore is not following the AWS security best practices.

08 Change the AWS region from the navigation bar and repeat the audit process for the remaining regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to expose the inbound traffic source(s) for the default security group within the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=group-name,Values='default'
	--output table
	--query 'SecurityGroups[*].IpPermissions[*].IpRanges'

02 The command output should return a table with the requested security group information. If the command does not return any output, the default security group does not allow public inbound traffic, otherwise, it should return the inbound traffic source IP(s)/IP range(s) defined, as shown in the following example:

------------------------
|DescribeSecurityGroups|
+----------------------+
|        CidrIp        |
+----------------------+
|  0.0.0.0/0           |
|  ::/0           |
|  52.235.140.10/32    |
|  51.44.109.147/32    |
+----------------------+
If the IP(s)/IP range(s) returned is/are equal to 0.0.0.0/0 or ::/0, the selected default security group is allowing public inbound traffic, therefore is not following the AWS security best practices.

03 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.

Remediation / Resolution

To restrict public inbound traffic to your default security groups and use custom security groups instead of default ones for your EC2 instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Click inside the attributes filter box located under the dashboard top menu, choose Group Name from the dropdown list and enter default to return the EC2 default security group.

05 Select the default security group returned as result.

06 Before you restrict public traffic to the default security group, create a new custom security group and transfer any existing inbound rules to it. To create the necessary security group and transfer the inbound configuration, perform the following:

  1. Click the Actions dropdown button from the dashboard top menu and select Copy to new.
  2. In the Create Security Group dialog box, provide the following details:
    • In the Security group name box, enter a name for your new custom security group.
    • In the Description box, provide a description to reflect the security group usage.
    • From the VPC dropdown list, select the appropriate VPC ID/name.
    • Inside the Inbound tab review the inbound rules copied automatically from the default security group, then click the Create button to create the new security group.

07 Now that the inbound rules are transferred to the custom security group it is safe to remove the rules from the default security group and restrict all public traffic to it. To remove the rules, perform the following actions:

  1. Select the Inbound tab from the dashboard bottom panel and click the Edit button.
  2. In the Edit inbound rules dialog box, remove all the inbound rules available by clicking the x button next to each rule.
  3. Click Save to apply the changes. The default security group is now denying all inbound network traffic.

08 To replace the default security group with the custom one created at step no. 6 for the required EC2 instance(s), perform the following:

  1. In the left navigation panel, under INSTANCES section, choose Instances.
  2. Click inside the EC2 attributes filter box located under the dashboard top menu, choose Security Group Name from the dropdown list and enter default to return all the EC2 instances that are currently using the default security group.
  3. Select an EC2 instance returned as result.
  4. Click the Actions dropdown button from the dashboard top menu, select Networking and click Change Security Group.
  5. In the Change Security Groups dialog box, uncheck the default security group and check the new custom security group.
  6. Click Assign Security Groups to apply the changes.
  7. Repeat steps c – f to replace the default security group for the rest of the EC2 instances returned at step b.

09 Change the AWS region from the navigation bar and repeat the process for the remaining regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) to expose the inbound/ingress rules information for the default security group within the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=group-name,Values='default'
	--query 'SecurityGroups[*].IpPermissions'

02 The command output should return the inbound rules metadata:

[
    [
        {
            "PrefixListIds": [],
            "FromPort": 80,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 80,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": []
        }
    ]
]

03 Run create-security-group command (OSX/Linux/UNIX) to set up a custom security group that will replace the default one. The following command example creates a security group called MyCustomSecurityGroup inside the VPC identified with the ID vpc-e45e94df, within the US East AWS region:

aws ec2 create-security-group
	--region us-east-1
	--group-name MyCustomSecurityGroup
	--description "My EC2 Custom Security Group"
	--vpc-id vpc-e45e94df

04 The command output should return the new security group ID:

{
    "GroupId": "sg-2673e45d"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID returned at the previous step as identifier, to transfer the inbound information from the default security group to the newly created custom security group (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-2673e45d
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) from the default security group and restrict all public traffic to it (the command does not return an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name default
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

07 To replace the default security group with the custom one created at step no. 3 for the required EC2 instance(s), run the following commands:

  1. Run describe-instances command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of the EC2 instances with the default security group attached, available in the selected region:
    aws ec2 describe-instances
    	--region us-east-1
    	--filters "Name=instance.group-name,Values=default"
    	--output table
    	--query 'Reservations[*].Instances[*].InstanceId'
    
  2. The command output should return a table with the requested EC2 instance IDs:
    -------------------------
    |   DescribeInstances   |
    +-----------------------+
    |  i-05031e21f813b3bfd  |
    |  i-05e4a39942208532d  |
    +-----------------------+
    
  3. Now run modify-instance-attribute command (OSX/Linux/UNIX) using the instance ID returned at the previous step and the custom security group ID returned at step no. 4 to replace the default security group with the custom one created earlier for the selected EC2 instance (if successful, the command does not return an output):
    aws ec2 modify-instance-attribute
    	--region us-east-1
    	--instance-id i-05031e21f813b3bfd
    	--groups sg-2673e45d
    
  4. Repeat step c to replace the default security group for the rest of the EC2 instances returned at step b.

08 Repeat steps no. 1 - 7 to implement the entire process for other AWS regions.

References

Publication date Jun 10, 2016