AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Default Security Group Should Not Allow Unrestricted Public Traffic
More Info:
Default security groups should restrict all public traffic to follow AWS security best practices.
Risk Level
Low
Address
Security
Compliance Standards
CISAWS, CBP, NIST, SOC2, PCIDSS, GDPR, AWSWAF, NISTCSF, FedRAMP
Triage and Remediation
Remediation
To remediate the misconfiguration “Default Security Group Should Not Allow Unrestricted Public Traffic” for AWS using the AWS console, follow the steps below:
-
Log in to the AWS Management Console.
-
Navigate to the EC2 service.
-
In the left-hand menu, click on “Security Groups”.
-
Select the default security group.
-
In the “Inbound Rules” tab, remove any rules that allow unrestricted public traffic (i.e. 0.0.0.0/0).
-
Add specific rules for the required ports and protocols to allow traffic only from authorized sources.
-
Review and save the changes.
By following these steps, you will remediate the misconfiguration and ensure that the default security group does not allow unrestricted public traffic.
To remediate the misconfiguration “Default Security Group Should Not Allow Unrestricted Public Traffic” for AWS using AWS CLI, follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to get the ID of the default security group in your AWS account:
aws ec2 describe-security-groups --filters Name=group-name,Values=default --query 'SecurityGroups[*].GroupId' --output text -
Run the following command to update the inbound rules of the default security group to allow only necessary traffic:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol all --port all --cidr 0.0.0.0/0This command will remove all the inbound rules that allow unrestricted public traffic.
-
Now, add the necessary inbound rules to the default security group using the following command:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --cidr <ip-address>Replace
<port-number>with the port number you want to allow traffic for and<ip-address>with the IP address range you want to allow traffic from. -
Repeat step 4 for all the necessary inbound rules.
-
Verify the updated inbound rules of the default security group using the following command:
aws ec2 describe-security-groups --group-ids <security-group-id>This command will display the updated inbound rules for the default security group.
By following the above steps, you can remediate the misconfiguration “Default Security Group Should Not Allow Unrestricted Public Traffic” for AWS using AWS CLI.
To remediate the misconfiguration of default security group allowing unrestricted public traffic in AWS using Python, you can follow these steps:
- Import the necessary AWS SDK libraries and modules in Python.
import boto3
- Create a connection to the AWS EC2 service using the boto3 library.
ec2 = boto3.client('ec2')
- Get the default security group ID using the describe_security_groups() method.
response = ec2.describe_security_groups(GroupNames=['default'])
sg_id = response['SecurityGroups'][0]['GroupId']
- Revoke the ingress rules that allow unrestricted public traffic using the revoke_security_group_ingress() method.
response = ec2.revoke_security_group_ingress(
GroupId=sg_id,
IpPermissions=[
{
'IpProtocol': '-1',
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}
]
)
- Confirm that the ingress rules have been revoked by describing the security group again.
response = ec2.describe_security_groups(GroupNames=['default'])
print(response)
This should remediate the misconfiguration of default security group allowing unrestricted public traffic in AWS using Python.