AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Default Security Group Should Not Be Publicly Accessible
More Info:
Default security groups should block all traffic by default. EC2 instances should not be associated with default security groups with public access.
Risk Level
Medium
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration of the default security group being publicly accessible in AWS, follow these steps using the AWS Management Console:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to the EC2 Dashboard: Click on the “Services” dropdown menu at the top left corner of the console, select “EC2” under the Compute section.
-
Access the Security Groups: In the EC2 Dashboard, locate and click on the “Security Groups” option in the left-hand navigation pane.
-
Identify the Default Security Group: Look for the default security group in the list of security groups. The default security group has the name “default” and is associated with all new instances that are launched in the VPC.
-
Edit Inbound Rules: Click on the default security group to select it, and then navigate to the “Inbound Rules” tab at the bottom of the console.
-
Remove Publicly Accessible Rules: Identify any inbound rules that allow unrestricted access from the internet (0.0.0.0/0 or ::/0) and remove them. This includes rules allowing SSH (port 22), RDP (port 3389), HTTP (port 80), HTTPS (port 443), etc.
-
Add Necessary Rules: Add specific inbound rules that allow access only from trusted sources, such as your organization’s IP addresses or specific security groups within your VPC.
-
Save the Changes: After making the necessary changes to the inbound rules, click on the “Save rules” button to apply the changes to the default security group.
-
Verify Changes: Double-check the inbound rules to ensure that only necessary and restricted access is allowed to the default security group.
By following these steps, you can remediate the misconfiguration of the default security group being publicly accessible in AWS and enhance the security of your cloud environment.
To remediate the misconfiguration of the default security group being publicly accessible in AWS, you can follow these steps using the AWS CLI:
- List all the security groups in your AWS account to identify the default security group:
aws ec2 describe-security-groups --query "SecurityGroups[?GroupName=='default']"
-
Get the Group ID of the default security group from the output of the above command.
-
Update the inbound rules of the default security group to restrict access. You can remove the existing rules or update them to allow access only from specific IP ranges or security groups. For example, to remove all inbound rules from the default security group:
aws ec2 revoke-security-group-ingress --group-id <YOUR_DEFAULT_SECURITY_GROUP_ID> --protocol -1 --source-group all
- Verify that the inbound rules have been updated successfully by describing the security group:
aws ec2 describe-security-groups --group-ids <YOUR_DEFAULT_SECURITY_GROUP_ID>
By following these steps, you can ensure that the default security group in your AWS account is no longer publicly accessible.
To remediate the misconfiguration of the default security group being publicly accessible in AWS using Python, you can follow these steps:
-
Use the AWS SDK for Python (Boto3) to programmatically update the inbound rules of the default security group to restrict access.
-
Here’s a sample Python script that demonstrates how to update the default security group to allow only specific IP ranges or ports:
import boto3
# Initialize the EC2 client
ec2 = boto3.client('ec2')
# Get the default security group ID
response = ec2.describe_security_groups(GroupNames=['default'])
default_security_group_id = response['SecurityGroups'][0]['GroupId']
# Revoke existing inbound rules that allow all traffic
ec2.revoke_security_group_ingress(
GroupId=default_security_group_id,
IpPermissions=[
{
'IpProtocol': '-1',
'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
}
]
)
# Add new inbound rules to allow specific IP ranges or ports
ec2.authorize_security_group_ingress(
GroupId=default_security_group_id,
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 22,
'ToPort': 22,
'IpRanges': [{'CidrIp': 'YOUR_IP_RANGE'}]
},
{
'IpProtocol': 'tcp',
'FromPort': 80,
'ToPort': 80,
'IpRanges': [{'CidrIp': 'YOUR_IP_RANGE'}]
}
]
)
print('Default security group remediated successfully.')
-
Replace
'YOUR_IP_RANGE'with the specific IP range or port that you want to allow access to. You can add multiple rules as needed. -
Run this Python script in your AWS environment with the necessary IAM permissions to update security groups.
By following these steps, you can remediate the misconfiguration of the default security group being publicly accessible in AWS using Python.