More Info:

Your AWS EC2 default security groups should restrict all inbound public traffic in order to enforce AWS users (EC2 administrators, resource managers, etc) to create custom security groups that exercise the rule of least privilege instead of using the default security groups.

Risk Level

Low

Address

Security

Compliance Standards

CISAWS, CBP, NIST, SOC2, PCIDSS, GDPR, AWSWAF, NISTCSF, FedRAMP

Remediation

How to ensure default Security Group does not allow unrestricted inbound access

Using Console

To remediate the misconfiguration “Default Security Group Should Not Allow Unrestricted Public Traffic” for AWS using the AWS console, follow the steps below:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 service.
  3. In the left-hand menu, click on “Security Groups”.
  4. Select the default security group.
  5. In the “Inbound Rules” tab, remove any rules that allow unrestricted public traffic (i.e. 0.0.0.0/0).
  6. Add specific rules for the required ports and protocols to allow traffic only from authorized sources.
  7. Review and save the changes.
By following these steps, you will remediate the misconfiguration and ensure that the default security group does not allow unrestricted public traffic.

Using CLI

To remediate the misconfiguration “Default Security Group Should Not Allow Unrestricted Public Traffic” for AWS using AWS CLI, follow the below steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to get the ID of the default security group in your AWS account: 
    aws ec2 describe-security-groups --filters Name=group-name,Values=default --query 'SecurityGroups[*].GroupId' --output text
  3. Run the following command to update the inbound rules of the default security group to allow only necessary traffic: 
    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol all --port all --cidr 0.0.0.0/0
    This command will remove all the inbound rules that allow unrestricted public traffic.
  4. Now, add the necessary inbound rules to the default security group using the following command: 
    aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --cidr <ip-address>
    Replace <port-number> with the port number you want to allow traffic for and <ip-address> with the IP address range you want to allow traffic from.
  5. Repeat step 4 for all the necessary inbound rules.
  6. Verify the updated inbound rules of the default security group using the following command: 
    aws ec2 describe-security-groups --group-ids <security-group-id>
    This command will display the updated inbound rules for the default security group.
By following the above steps, you can remediate the misconfiguration “Default Security Group Should Not Allow Unrestricted Public Traffic” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration of default security group allowing unrestricted public traffic in AWS using Python, you can follow these steps:
  1. Import the necessary AWS SDK libraries and modules in Python.
import boto3
  1. Create a connection to the AWS EC2 service using the boto3 library.
ec2 = boto3.client('ec2')
  1. Get the default security group ID using the describe_security_groups() method.
response = ec2.describe_security_groups(GroupNames=['default'])
sg_id = response['SecurityGroups'][0]['GroupId']
  1. Revoke the ingress rules that allow unrestricted public traffic using the revoke_security_group_ingress() method.
response = ec2.revoke_security_group_ingress(
    GroupId=sg_id,
    IpPermissions=[
        {
            'IpProtocol': '-1',
            'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
        }
    ]
)
  1. Confirm that the ingress rules have been revoked by describing the security group again.
response = ec2.describe_security_groups(GroupNames=['default'])
print(response)
This should remediate the misconfiguration of default security group allowing unrestricted public traffic in AWS using Python.

Additional Reading: