Open menu
-->

Default EC2 Security Groups In Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that the EC2 instances provisioned in your AWS account are not associated with default security groups created alongside with your VPCs in order to enforce using custom and unique security groups that exercise the principle of least privilege.

This rule resolution is part of the Cloud Conformity Security Package

When an EC2 instance is launched without specifying a custom security group, the default security group is automatically assigned to the instance. Because a lot of instances are launched in this way, if the default security group is configured to allow unrestricted access, it can increase opportunities for malicious activity such as hacking, brute-force attacks or even denial-of-service (DoS) attacks.

Audit

To determine if you have any provisioned EC2 instances associated with default security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES section, choose Instances.

04 On the EC2 Instances page, click inside the attributes filter box:

click inside the attributes filter box

choose Security Group Name from the dropdown list and type default for the attribute value. This filtering technique will help you to detect the EC2 instances that are currently associated with the default security group created alongside with the VPC available within the current AWS region. If the filtering process returns one or more EC2 instances, the default security group is currently in use within the selected region, therefore the EC2 network configuration is not following AWS security best practices.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of the EC2 instances that are currently associated with the default security group available within the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance.group-name,Values=default"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if the default security group is not being used or a table populated with instance IDs if the default security group is currently attached to EC2 instances, as shown in the following example:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0000c312125ac1b4b  |
|  i-0fa42220c80fdbec3  |
+-----------------------+

If the command output returns one or more instance IDs, the default security group is currently in use within the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To adhere to the principle of least privilege and replace the associated default security groups with custom security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Click inside the attributes filter box located under the dashboard top menu, choose Group Name from the dropdown list and enter default to return the EC2 default security group.

05 Select the default security group returned as result.

06 To replace the default security group assigned to your instance(s), create a new custom security group and transfer any existing inbound/outbound rules to it. To create the necessary security group, perform the following actions:

  1. Click the Actions dropdown button from the dashboard top menu and select Copy to new.
  2. In the Create Security Group dialog box, provide the following details:
    • In the Security group name box, enter a name for your new custom security group.
    • In the Description box, provide a description to reflect the security group usage.
    • From the VPC dropdown list, select the appropriate VPC ID/name.
    • Inside the Inbound tab, review and configure the ingress rules copied automatically from the default security group.
    • Inside the Outbound tab, review and configure the egress rules copied automatically from the default security group.
    • Click Create button to create the custom EC2 security group.

07 Now that the inbound and outbound rules are transferred to the new security group it is safe to replace the default security group with the custom one within the EC2 instance(s) network configuration. To replace it, perform the following actions:

  1. In the navigation panel, under INSTANCES section, choose Instances.
  2. Select the EC2 instance that you want to configure (see Audit section part I to identify the appropriate instances).
  3. Click the Actions dropdown button from the dashboard top menu, select Networking and click Change Security Group.
  4. In the Change Security Groups dialog box, uncheck the default security group and check the new custom security group.
  5. Click Assign Security Groups to apply the changes.
  6. Repeat steps b – e to replace the default security group for other EC2 instances available in the current region.

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) to expose the inbound and outbound rules for the default security group within the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=group-name,Values='default'
	--query 'SecurityGroups[*].[IpPermissions,IpPermissionsEgress]'

02 The command output should return the requested rules metadata:

[
    [
        [
            {
                "PrefixListIds": [],
                "FromPort": 80,
                "IpRanges": [
                    {
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "ToPort": 80,
                "IpProtocol": "tcp",
                "UserIdGroupPairs": []
            },
            {
                "PrefixListIds": [],
                "FromPort": 22,
                "IpRanges": [
                    {
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "ToPort": 22,
                "IpProtocol": "tcp",
                "UserIdGroupPairs": []
            }
        ],
        [
            {
                "PrefixListIds": [],
                "FromPort": 80,
                "IpRanges": [
                    {
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "ToPort": 80,
                "IpProtocol": "tcp",
                "UserIdGroupPairs": []
            },
            {
                "PrefixListIds": [],
                "FromPort": 22,
                "IpRanges": [
                    {
                        "CidrIp": "0.0.0.0/0"
                    }
                ],
                "ToPort": 22,
                "IpProtocol": "tcp",
                "UserIdGroupPairs": []
            }
        ]
    ]
]

03 Run create-security-group command (OSX/Linux/UNIX) to set up a custom security group that will replace the default one. The following command example creates a security group called MyCustomWebSecurityGroup inside a VPC identified with the ID vpc-2fb56545 available within the US East region:

aws ec2 create-security-group
	--region us-east-1
	--group-name MyCustomWebSecurityGroup
	--description "My Custom Web Security Group"
	--vpc-id vpc-2fb56545

04 The command output should return the new security group ID:

{
    "GroupId": "sg-3042ca4a"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the group ID returned at the previous step as identifier, to transfer the inbound information from the default security group to the newly created security group. Run the command as many times as needed by changing accordingly the --protocol, --port and --cidr parameter values in order to create all the ingress rules defined within the default security group (the command does not return an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-3042ca4a
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the custom security group as identifier to transfer the outbound information from the default security group to the newly created security group. Run the command as many times as needed by changing accordingly the --ip-permissions parameter value in order to create all the egress rules defined within the default security group (the command does not return an output):

aws ec2 authorize-security-group-egress
	--region us-east-1
	--group-id sg-3042ca4a
	--ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) using the EC2 instance ID and the custom security group ID as parameters to replace the default security group with the custom one created at step no. 3 within the network configuration of the selected EC2 instance (if successful, the command does not return an output):

aws ec2 modify-instance-attribute
	--region us-east-1
	--instance-id i-0000c312125ac1b4b
	--groups sg-3042ca4a

08 Repeat steps no. 3 - 7 to implement the default security group replacement process for other EC2 instances available within the selected region.

09 Repeat steps no. 1 - 8 to implement the entire process for other AWS regions.

References

Publication date Sep 5, 2016