Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Default Security Group Unrestricted

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (should be achieved)
Rule ID: EC2-016

Ensure that your Amazon EC2 default security groups restrict all inbound public traffic in order to enforce AWS users (administrators, resource managers, etc.) to create custom security groups that exercise the Principle of Least Privilege (POLP) instead of using the default security groups.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Because a lot of AWS users have the tendency to attach the default security group to their Amazon EC2 instances during the launch process, any default security groups configured to allow unrestricted access can increase opportunities for malicious activities such as hacking, Denial-of-Service attacks, or brute-force attacks.


Audit

To determine if your default security groups allow public inbound traffic, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the default Amazon EC2 security group. To identify the default security group, check the Security group name column for the default value.

05 Choose the Inbound rules tab from the console bottom panel to access the inbound rules created for the selected group.

06 Check the configuration value available in the Source column for any inbound/ingress rules defined. If one or more rules have the Source value set to 0.0.0.0/0 or ::/0(i.e. Anywhere), the selected default security group allows unrestricted inbound traffic, therefore the security group configuration is not secure.

07 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with predefined and custom query filters to expose the inbound/ingress traffic source(s) configured for the default security group available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='default'
  --output table
  --query 'SecurityGroups[*].IpPermissions[*].IpRanges'

02 The command output should return a table with the requested security group information:

--------------------------
| DescribeSecurityGroups |
+------------------------+
|         CidrIp         |
+------------------------+
|       0.0.0.0/0        |
|       10.0.5.0/32      |
+------------------------+

Check the source IP addresses/IP address ranges returned by the describe-security-groups command output. If one or more sources are set to 0.0.0.0/0(i.e.**Anywhere), the selected default security group allows unrestricted inbound traffic, therefore the security group configuration is not secure and compliant.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To follow security best practices and replace the non-compliant default security group with a custom security group, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Replace the non-compliant default security group associated with your EC2 instance",
    "Resources":{
    "WebCustomSecurityGroup" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
            "GroupDescription" : "Web Access Security Group",
            "GroupName" : "cc-custom-security-group",
            "VpcId" : "vpc-abcdabcd",
            "SecurityGroupIngress" : [{
                "IpProtocol" : "tcp",
                "FromPort" : 80,
                "ToPort" : 80,
                "CidrIp" : "0.0.0.0/0"
            }],
            "SecurityGroupEgress" : [{
                "IpProtocol" : "-1",
                "FromPort" : 0,
                "ToPort" : 65535,
                "CidrIp" : "0.0.0.0/0"
            }]
            }
        },
        "DefaultSecurityGroup" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
            "GroupDescription" : "default VPC security group",
            "GroupName" : "default",
            "VpcId" : "vpc-abcdabcd"
            }
        },
        "EC2Instance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
            "ImageId":"ami-0abcdabcdabcdabcd",
            "InstanceType":"t3.micro",
            "KeyName":"ssh-key",
            "SubnetId":"subnet-abcd1234",
            "SecurityGroupIds":[
                {
                    "Ref":"WebCustomSecurityGroup"
                }
            ]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Replace the non-compliant default security group associated with your EC2 instance
    Resources:
        WebCustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: Web Access Security Group
            GroupName: cc-custom-security-group
            VpcId: vpc-abcdabcd
            SecurityGroupIngress:
            - IpProtocol: tcp
                FromPort: 80
                ToPort: 80
                CidrIp: '0.0.0.0/0'
            SecurityGroupEgress:
            - IpProtocol: '-1'
                FromPort: 0
                ToPort: 65535
                CidrIp: '0.0.0.0/0'
        DefaultSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: default VPC security group
            GroupName: default
            VpcId: vpc-abcdabcd
        EC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcdabcdabcdabcd
            InstanceType: t3.micro
            KeyName: ssh-key
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - !Ref 'WebCustomSecurityGroup'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

# Create the replacement security group
resource "aws_security_group" "web-security-group" {
    name        = "cc-custom-security-group"
    description = "Web Access Security Group"
    vpc_id      = "vpc-abcdabcd"

    ingress {
        from_port        = 80
        to_port          = 80
        protocol         = "tcp"
        cidr_blocks      = ["0.0.0.0/0"]
        ipv6_cidr_blocks = ["::/0"]
    }

    egress {
        from_port        = 0
        to_port          = 0
        protocol         = "-1"
        cidr_blocks      = ["0.0.0.0/0"]
        ipv6_cidr_blocks = ["::/0"]
    }

}

# Replace the non-compliant default security group with the custom security group
resource "aws_instance" "ec2-instance" {

    ami = "ami-0abcdabcdabcdabcd"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ aws_security_group.web-security-group.id ]

}

# Remove non-compliant inbound rules from the default security group 
resource "aws_default_security_group" "default-security-group" {
    name        = "default"
    description = "default VPC security group"
    vpc_id      = "vpc-abcdabcd"
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the default Amazon EC2 security group. To identify the default security group, check the Security group name column for the default value.

05 Click the Actions dropdown button from the console top menu and choose Copy to new security group.

06 On the Copy to new security group setup page, perform the following operations:

  1. In the Security group name box, enter a unique name for your new custom security group.
  2. In the Description box, provide a short description to reflect the security group usage.
  3. From the VPC dropdown list, select the VPC network in which to create the security group.
  4. In the Inbound rules section, review and (re)configure the inbound/ingress rules copied automatically from the default security group.
  5. In the Outbound rules section, review and (re)configure the outbound/egress rules copied automatically from the default security group.
  6. (Optional) For Tags – optional, use the Add tag button to create and apply user-defined tags to the new security group.
  7. Choose Create security group to create the new custom security group.

07 Replace the default security group with the new, custom one within your Amazon EC2 instance(s) configuration. To replace the default resource, perform the following actions:

  1. In the navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to reconfigure.
  3. Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
  4. On the Change security groups page, perform the following commands:
    • In the Associated security groups section, choose Remove next to the default security group to remove the default security group from your EC2 instance configuration.
    • Click inside the Select security groups box, select the custom security group created at step no 6, and choose Add security group. The custom security group will replace the default one.
    • Choose Save to apply the configuration changes.

08 Now it's safe to remove the non-compliant inbound rules from the default security group and block all public traffic. To remove the required rules, perform the following actions:

  1. In the navigation panel, under Network & Security, choose Security Groups.
  2. Select the default Amazon EC2 security group.
  3. Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.
  4. On the Edit inbound rules configuration page, perform the following:
    • Choose Delete next to the non-compliant rule (i.e. the one with the Source set to 0.0.0.0/0 or ::/0) to remove the rule from your default security group. Repeat this step for each rule that you want to delete.
    • Choose Save rules to apply the configuration changes.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to describe the inbound/ingress rules configured for the default security group available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='default'
  --query 'SecurityGroups[*].IpPermissions'

02 The command output should return the requested configuration information:

[
    [
        {
            "FromPort": 80,
            "IpProtocol": "tcp",
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "Ipv6Ranges": [],
            "PrefixListIds": [],
            "ToPort": 80,
            "UserIdGroupPairs": []
        }
    ]
]

03 Run create-security-group command (OSX/Linux/UNIX) to set up a new custom security group that will replace the default one in the selected AWS cloud region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-custom-security-group
  --description "Web Access Security Group"
  --vpc-id vpc-abcdabcd

04 The command output should return the ID of the new, custom security group:

{
    "GroupId": "sg-0abcdabcdabcdabcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the inbound information from the default security group to the new (custom) security group. Run the authorize-security-group-ingress command as many times as needed and change the --protocol, --port and --cidr parameter values in order to create all the inbound/ingress rules defined for the default security group (if successful, the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the Amazon EC2 that you want to reconfigure as the identifier parameter, to replace the default security group with the custom one created at step no. 3. Make sure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-0abcdabcdabcdabcd
  --groups sg-01234abcd1234abcd sg-0abcdabcdabcdabcd

07 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the non-compliant inbound rule(s) from the default security group and block all public traffic to it:

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-name default
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0
  --query 'Return'

08 The command output should return true if the request succeeds. Otherwise, it should return an error:

true

09 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 10, 2016