Default Security Group Unrestricted
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your AWS EC2 default security groups restrict all inbound public traffic in order to enforce AWS users (EC2 administrators, resource managers, etc) to create custom security groups that exercise the rule of least privilege instead of using the default security groups.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Because a lot of AWS users have the tendency to attach the default security group to their EC2 instances during the launch process, any default security groups configured to allow unrestricted access can increase opportunities for malicious activity such as hacking, denial-of-service attacks or brute-force attacks.
To determine if your EC2 default security groups allow public inbound traffic, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Click inside the attributes filter box located under the dashboard top menu, choose Group Name from the dropdown list and enter default to return the EC2 default security group.
05 Select the security group returned as result.
06 Select the Inbound tab from the dashboard bottom panel.
07 Verify the value available in the Source column for any inbound/ingress rules defined. If one or more rules have the source set to Anywhere (0.0.0.0/0 or ::/0), the selected default security group allows public inbound traffic, therefore is not following the AWS security best practices.
08 Change the AWS region from the navigation bar and repeat the audit process for the remaining regions.
01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to expose the inbound traffic source(s) for the default security group within the selected region:
aws ec2 describe-security-groups --region us-east-1 --filters Name=group-name,Values='default' --output table --query 'SecurityGroups[*].IpPermissions[*].IpRanges'
02 The command output should return a table with the requested security group information. If the command does not return any output, the default security group does not allow public inbound traffic, otherwise, it should return the inbound traffic source IP(s)/IP range(s) defined, as shown in the following example:
------------------------ |DescribeSecurityGroups| +----------------------+ | CidrIp | +----------------------+ | 0.0.0.0/0 | | ::/0 | | 52.235.140.10/32 | | 51.44.109.147/32 | +----------------------+
03 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.
To restrict public inbound traffic to your default security groups and use custom security groups instead of default ones for your EC2 instances, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Click inside the attributes filter box located under the dashboard top menu, choose Group Name from the dropdown list and enter default to return the EC2 default security group.
05 Select the default security group returned as result.
06 Before you restrict public traffic to the default security group, create a new custom security group and transfer any existing inbound rules to it. To create the necessary security group and transfer the inbound configuration, perform the following:
07 Now that the inbound rules are transferred to the custom security group it is safe to remove the rules from the default security group and restrict all public traffic to it. To remove the rules, perform the following actions:
08 To replace the default security group with the custom one created at step no. 6 for the required EC2 instance(s), perform the following:
09 Change the AWS region from the navigation bar and repeat the process for the remaining regions.
01 Run describe-security-groups command (OSX/Linux/UNIX) to expose the inbound/ingress rules information for the default security group within the selected region:
aws ec2 describe-security-groups --region us-east-1 --filters Name=group-name,Values='default' --query 'SecurityGroups[*].IpPermissions'
02 The command output should return the inbound rules metadata:
[
[
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 80,
"IpProtocol": "tcp",
"UserIdGroupPairs": []
}
]
]
03 Run create-security-group command (OSX/Linux/UNIX) to set up a custom security group that will replace the default one. The following command example creates a security group called MyCustomSecurityGroup inside the VPC identified with the ID vpc-e45e94df, within the US East AWS region:
aws ec2 create-security-group --region us-east-1 --group-name MyCustomSecurityGroup --description "My EC2 Custom Security Group" --vpc-id vpc-e45e94df
04 The command output should return the new security group ID:
{
"GroupId": "sg-2673e45d"
}
05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID returned at the previous step as identifier, to transfer the inbound information from the default security group to the newly created custom security group (the command does not produce an output):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-2673e45d --protocol tcp --port 80 --cidr 0.0.0.0/0
06 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) from the default security group and restrict all public traffic to it (the command does not return an output):
aws ec2 revoke-security-group-ingress --region us-east-1 --group-name default --protocol tcp --port 80 --cidr 0.0.0.0/0
07 To replace the default security group with the custom one created at step no. 3 for the required EC2 instance(s), run the following commands:
aws ec2 describe-instances --region us-east-1 --filters "Name=instance.group-name,Values=default" --output table --query 'Reservations[*].Instances[*].InstanceId'
------------------------- | DescribeInstances | +-----------------------+ | i-05031e21f813b3bfd | | i-05e4a39942208532d | +-----------------------+
aws ec2 modify-instance-attribute --region us-east-1 --instance-id i-05031e21f813b3bfd --groups sg-2673e45d
08 Repeat steps no. 1 - 7 to implement the entire process for other AWS regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat