lacework-global-87
5.3 Ensure the default security group of every Virtual Private Cloud (VPC) restricts all traffic (Automated)
This policy may trigger an alert if you have completed an Agentless Workload Scanning integration for AWS using CloudFormation. See Alerts Triggering for lacework-global-87 and lacework-global-145 after Deployment for details.
Profile Applicability
• Level 2
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you do not specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Best practices recommend that the default security group restrict all traffic.
The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that requires remediation to comply with this recommendation.
When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Use this VPC flow logging recommendation during any period of discovery and engineering for least privileged security groups, even if it is not adopted as a permanent security measure.
Rationale
Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will in-turn reduce the exposure of those resources.
Impact
Implementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.
Audit
Perform the following to determine if the account is configured as prescribed:
Security Group State
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- Repeat the next steps for all VPCs - including the default VPC in each AWS region:
- In the left pane, click
Security Groups - For each default security group, perform the following:
- Select the
defaultsecurity group - Click the
Inbound Rulestab - Ensure no rule exist
- Click the
Outbound Rulestab - Ensure no rules exist
Security Group Members
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region:
- In the left pane, click
Security Groups - Copy the id of the default security group.
- Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home
- In the filter column type 'Security Group ID : < security group id from #4 >'
Remediation
Security Group Members
Perform the following to implement the prescribed state:
- Identify AWS resources that exist within the default security group.
- Create a set of least privilege security groups for those resources.
- Place the resources in those security groups.
- Remove the resources noted in #1 from the default security group.
Security Group State
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
- Repeat the next steps for all VPCs - including the default VPC in each AWS region:
- In the left pane, click
Security Groups. - For each default security group, perform the following:
- Select the
defaultsecurity group - Click the
Inbound Rulestab - Remove any inbound rules
- Click the
Outbound Rulestab - Remove any inbound rules
Recommended:
Identity and Access Management (IAM) groups allow you to edit the "name" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to "Do not use. Do not add rules."
References
CCE-79201-0
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group