Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Default Security Groups In Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-031

Ensure that the Amazon EC2 instances provisioned in your AWS cloud account are not associated with the default security groups created alongside with your VPCs in order to enforce using custom and unique security groups that exercise the Principle of Least Privilege.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When an Amazon EC2 instance is launched without specifying a custom security group, the default security group is automatically assigned to the EC2 instance. Because a lot of instances are launched in this way, if the default security group is configured to allow unrestricted access, it can increase opportunities for malicious activities such as hacking, brute-force attacks, or Denial-of-Service (DoS) attacks.


Audit

TTo determine if there are Amazon EC2 instances associated with the default security groups, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Click inside the Filter instances box located under the console top menu, choose Security group name, type default, then press Enter. This filtering technique will return only the EC2 instances associated with the default security group created alongside with the VPC network. If the filtering process returns one or more EC2 instances, the default security group is used by one or more Amazon EC2 instances within the current AWS region.

05 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of the Amazon EC2 instances that are associated with the default security group available within the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=instance.group-name,Values=default"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if the default security group is not being used by EC2 instances or a table populated with instance IDs if the default security group is associated with one or more Amazon EC2 instances, as shown in the following example:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

If the describe-instances command output returns one or more instance IDs, the default security group is used by one or more Amazon EC2 instances in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To follow AWS cloud security best practices, implement the Principle of Least Privilege (POLP) by replacing the associated default security group with a custom security group. To run the remediation process, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Replace the default security group associated with the specified instance",
    "Resources":{
        "CustomSecurityGroup" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
                "GroupDescription" : "Custom web traffic security group",
                "GroupName" : "custom-security-group",
                "VpcId" : "vpc-1234abcd",
                "SecurityGroupIngress" : [{
                    "IpProtocol" : "tcp",
                    "FromPort" : 80,
                    "ToPort" : 80,
                    "CidrIp" : "0.0.0.0/0"
                }],
                "SecurityGroupEgress" : [{
                    "IpProtocol" : "-1",
                    "FromPort" : 0,
                    "ToPort" : 65535,
                    "CidrIp" : "0.0.0.0/0"
                }]
            }
        },
        "EC2Instance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
                "ImageId":"ami-0abcd1234abcd1234",
                "InstanceType":"t3.micro",
                "KeyName":"ssh-key",
                "SubnetId":"subnet-abcd1234",
                "SecurityGroupIds":[
                    {
                        "Ref":"CustomSecurityGroup"
                    }
                ]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Replace the default security group associated with the specified instance
    Resources:
        CustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: Custom web traffic security group
            GroupName: custom-security-group
            VpcId: vpc-1234abcd
            SecurityGroupIngress:
            - IpProtocol: tcp
            FromPort: 80
            ToPort: 80
            CidrIp: 0.0.0.0/0
            SecurityGroupEgress:
            - IpProtocol: "-1"
            FromPort: 0
            ToPort: 65535
            CidrIp: 0.0.0.0/0
        EC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t3.micro
            KeyName: ssh-key
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - Ref: CustomSecurityGroup

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

# Create the replacement security group
resource "aws_security_group" "web-security-group" {
    name        = "custom-security-group"
    description = "Custom web traffic security group"
    vpc_id      = "vpc-1234abcd"

    ingress {
        from_port        = 80
        to_port          = 80
        protocol         = "tcp"
        cidr_blocks      = ["0.0.0.0/0"]
        ipv6_cidr_blocks = ["::/0"]
    }

    egress {
        from_port        = 0
        to_port          = 0
        protocol         = "-1"
        cidr_blocks      = ["0.0.0.0/0"]
        ipv6_cidr_blocks = ["::/0"]
    }

}

# Replace the default security group with the custom one
resource "aws_instance" "ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ aws_security_group.web-security-group.id ]

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the default Amazon EC2 security group. To identify the default security group, check the Security group name column for the default value.

05 Click the Actions dropdown button from the console top menu and choose Copy to new security group.

06 On the Copy to new security group setup page, perform the following operations:

  1. In the Security group name box, enter a unique name for your new custom security group.
  2. In the Description box, provide a short description to reflect the security group usage.
  3. From the VPC dropdown list, select the VPC network in which to create the security group.
  4. In the Inbound rules section, review and (re)configure the inbound/ingress rules copied automatically from the default security group.
  5. In the Outbound rules section, review and (re)configure the outbound/egress rules copied automatically from the default security group.
  6. (Optional) For Tags – optional, use the Add tag button to create and apply user-defined tags to the new security group.
  7. Choose Create security group to create the new custom security group.

07 Replace the default security group with the new, custom one within your Amazon EC2 instance(s) configuration. To replace the default resource, perform the following actions:

  1. In the navigation panel, under Instances, choose Instances.
  2. Select the Amazon EC2 instance that you want to reconfigure.
  3. Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
  4. On the Change security groups page, perform the following commands:
    • In the Associated security groups section, choose Remove next to the default security group to remove the default security group from your EC2 instance configuration.
    • Click inside the Select security groups box, select the custom security group created at step no 6, and choose Add security group. The custom security group will replace the default one.
    • Choose Save to apply the configuration changes.

08 Repeat step no. 7 for each Amazon EC2 instance associated with the default security group, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) to describe the configuration of the default security group available within the selected AWS cloud region:

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='default'

02 The command output should return the requested configuration information:

{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "123456789012",
            "GroupId": "sg-abcd1234",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "vpc-abcdabcd"
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up a new custom security group that will replace the default one in the selected AWS cloud region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-custom-security-group
  --description "Web Traffic Security Group"
  --vpc-id vpc-abcdabcd

04 The command output should return the ID of the new, custom security group:

{
    "GroupId": "sg-0abcdabcdabcdabcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the inbound information from the default security group to the new, custom security group. Run the authorize-security-group-ingress command as many times as needed and change the --protocol, --port and --cidr parameter values in order to create all the inbound/ingress rules defined for the default security group (if successful, the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the outbound information from the default security group to the new, custom security group. Run the authorize-security-group-egress command as many times as needed and change the --ip-permissions parameter values in order to create all the outbound/egress rules defined for the default security group (the command does not produce an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the Amazon EC2 that you want to reconfigure as the identifier parameter, to replace the default security group with the custom one created at step no. 3. Make sure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-0abcdabcdabcdabcd
  --groups sg-01234abcd1234abcd sg-0abcdabcdabcdabcd

08 Repeat step no. 7 for each Amazon EC2 instance associated with the default security group, available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Sep 5, 2016