AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Default Security Groups Should Block All Traffic
More Info:
Default security groups should block all traffic by default. EC2 instances should not be associated with default security groups.
Risk Level
Medium
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration of default security groups allowing all traffic in AWS, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in with your credentials.
-
Navigate to the EC2 Dashboard: Click on the “Services” dropdown in the top left corner and select “EC2” under the Compute section.
-
Access Security Groups: In the EC2 Dashboard, locate and click on the “Security Groups” option in the left-hand navigation pane.
-
Identify Default Security Group: Look for the default security group in the list of security groups. The default security group usually has the Group Name as “default” and the description as “default VPC security group”.
-
Edit Inbound Rules: Click on the default security group to select it. Then, navigate to the “Inbound rules” tab at the bottom of the dashboard.
-
Remove All Inbound Rules: You will see a list of inbound rules that allow traffic to the instances associated with this security group. To block all traffic, you need to remove all existing inbound rules.
-
Add Necessary Rules: After removing all inbound rules, you can add specific rules based on your requirements. Click on the “Edit inbound rules” button and add rules for the specific ports and protocols that your instances need to communicate with.
-
Save Changes: Once you have added the necessary rules, click on the “Save rules” button to apply the changes to the default security group.
-
Verify Changes: Verify that the default security group now only allows traffic based on the rules you have defined.
By following these steps, you have successfully remediated the misconfiguration of default security groups allowing all traffic in AWS.
To remediate the misconfiguration of default security groups allowing all traffic in AWS using AWS CLI, follow these steps:
- List all default security groups in your AWS account:
aws ec2 describe-security-groups --filters Name=group-name,Values=default
-
Identify the default security group that allows all traffic.
-
Get the Group ID of the default security group that allows all traffic:
aws ec2 describe-security-groups --group-names default --query 'SecurityGroups[0].GroupId' --output text
- Update the inbound rules of the default security group to deny all traffic:
aws ec2 revoke-security-group-ingress --group-id YOUR_GROUP_ID --protocol all --port all --cidr 0.0.0.0/0
- Update the outbound rules of the default security group to deny all traffic:
aws ec2 revoke-security-group-egress --group-id YOUR_GROUP_ID --protocol all --port all --cidr 0.0.0.0/0
Replace YOUR_GROUP_ID with the Group ID of the default security group that allows all traffic.
By following these steps, you will successfully remediate the misconfiguration of default security groups allowing all traffic in AWS using AWS CLI.
To remediate the misconfiguration of default security groups allowing all traffic in AWS using Python, you can use the AWS SDK for Python (Boto3) to update the inbound and outbound rules of the default security group to deny all traffic. Here are the step-by-step instructions to remediate this issue:
- Install Boto3: If you haven’t already installed Boto3, you can do so using pip:
pip install boto3
- Write a Python script to update the default security group:
import boto3
# Initialize the EC2 client
ec2 = boto3.client('ec2')
# Get the default security group ID
response = ec2.describe_security_groups(Filters=[{'Name': 'group-name', 'Values': ['default']}])
default_security_group_id = response['SecurityGroups'][0]['GroupId']
# Revoke all inbound rules
ec2.revoke_security_group_ingress(
GroupId=default_security_group_id,
IpPermissions=[{'IpProtocol': '-1', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
)
# Revoke all outbound rules
ec2.revoke_security_group_egress(
GroupId=default_security_group_id,
IpPermissions=[{'IpProtocol': '-1', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
)
print("Default security group rules updated to deny all traffic.")
- Run the Python script: Execute the Python script to update the default security group rules to deny all traffic.
python update_default_security_group.py
After running this script, the default security group in your AWS account will be updated to block all inbound and outbound traffic. Make sure to review the changes and ensure they align with your security requirements.