Default Security Groups In Use

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Instances, choose Instances.

04 Click inside the Filter instances box located under the console top menu, choose Security group name, type default, then press Enter. This filtering technique will return only the EC2 instances associated with the default security group created alongside with the VPC network. If the filtering process returns one or more EC2 instances, the default security group is used by one or more Amazon EC2 instances within the current AWS region.

05 Change the AWS cloud region from the console navigation bar and repeat the audit process for other regions.

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the IDs of the Amazon EC2 instances that are associated with the default security group available within the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=instance.group-name,Values=default"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return an empty table if the default security group is not being used by EC2 instances or a table populated with instance IDs if the default security group is associated with one or more Amazon EC2 instances, as shown in the following example:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-0abcdabcdabcdabcd  |
|  i-0abcd1234abcd1234  |
|  i-01234abcd1234abcd  |
+-----------------------+

03 Change the AWS cloud region by updating the --region command parameter value and repeat the audit process for other regions.

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion":"2010-09-09",
    "Description":"Replace the default security group associated with the specified instance",
    "Resources":{
        "CustomSecurityGroup" : {
            "Type" : "AWS::EC2::SecurityGroup",
            "Properties" : {
                "GroupDescription" : "Custom web traffic security group",
                "GroupName" : "custom-security-group",
                "VpcId" : "vpc-1234abcd",
                "SecurityGroupIngress" : [{
                    "IpProtocol" : "tcp",
                    "FromPort" : 80,
                    "ToPort" : 80,
                    "CidrIp" : "0.0.0.0/0"
                }],
                "SecurityGroupEgress" : [{
                    "IpProtocol" : "-1",
                    "FromPort" : 0,
                    "ToPort" : 65535,
                    "CidrIp" : "0.0.0.0/0"
                }]
            }
        },
        "EC2Instance":{
            "Type":"AWS::EC2::Instance",
            "Properties":{
                "ImageId":"ami-0abcd1234abcd1234",
                "InstanceType":"t3.micro",
                "KeyName":"ssh-key",
                "SubnetId":"subnet-abcd1234",
                "SecurityGroupIds":[
                    {
                        "Ref":"CustomSecurityGroup"
                    }
                ]
            }
        }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Replace the default security group associated with the specified instance
    Resources:
        CustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: Custom web traffic security group
            GroupName: custom-security-group
            VpcId: vpc-1234abcd
            SecurityGroupIngress:
            - IpProtocol: tcp
            FromPort: 80
            ToPort: 80
            CidrIp: 0.0.0.0/0
            SecurityGroupEgress:
            - IpProtocol: "-1"
            FromPort: 0
            ToPort: 65535
            CidrIp: 0.0.0.0/0
        EC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t3.micro
            KeyName: ssh-key
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - Ref: CustomSecurityGroup

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

# Create the replacement security group
resource "aws_security_group" "web-security-group" {
    name        = "custom-security-group"
    description = "Custom web traffic security group"
    vpc_id      = "vpc-1234abcd"

    ingress {
        from_port        = 80
        to_port          = 80
        protocol         = "tcp"
        cidr_blocks      = ["0.0.0.0/0"]
        ipv6_cidr_blocks = ["::/0"]
    }

    egress {
        from_port        = 0
        to_port          = 0
        protocol         = "-1"
        cidr_blocks      = ["0.0.0.0/0"]
        ipv6_cidr_blocks = ["::/0"]
    }

}

# Replace the default security group with the custom one
resource "aws_instance" "ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ aws_security_group.web-security-group.id ]

}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the default Amazon EC2 security group. To identify the default security group, check the Security group name column for the default value.

05 Click the Actions dropdown button from the console top menu and choose Copy to new security group.

06 On the Copy to new security group setup page, perform the following operations:

1. In the Security group name box, enter a unique name for your new custom security group.
2. In the Description box, provide a short description to reflect the security group usage.
3. From the VPC dropdown list, select the VPC network in which to create the security group.
4. In the Inbound rules section, review and (re)configure the inbound/ingress rules copied automatically from the default security group.
5. In the Outbound rules section, review and (re)configure the outbound/egress rules copied automatically from the default security group.
6. (Optional) For Tags – optional, use the Add tag button to create and apply user-defined tags to the new security group.
7. Choose Create security group to create the new custom security group.

07 Replace the default security group with the new, custom one within your Amazon EC2 instance(s) configuration. To replace the default resource, perform the following actions:

1. In the navigation panel, under Instances, choose Instances.
2. Select the Amazon EC2 instance that you want to reconfigure.
3. Click on the Actions dropdown menu from the console top menu, select Security, and choose Change security groups.
4. On the Change security groups page, perform the following commands:
   • In the Associated security groups section, choose Remove next to the default security group to remove the default security group from your EC2 instance configuration.
   • Click inside the Select security groups box, select the custom security group created at step no 6, and choose Add security group. The custom security group will replace the default one.
   • Choose Save to apply the configuration changes.

08 Repeat step no. 7 for each Amazon EC2 instance associated with the default security group, available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

01 Run describe-security-groups command (OSX/Linux/UNIX) to describe the configuration of the default security group available within the selected AWS cloud region:

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=group-name,Values='default'

02 The command output should return the requested configuration information:

{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "123456789012",
            "GroupId": "sg-abcd1234",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "vpc-abcdabcd"
        }
    ]
}

03 Run create-security-group command (OSX/Linux/UNIX) to set up a new custom security group that will replace the default one in the selected AWS cloud region:

aws ec2 create-security-group
  --region us-east-1
  --group-name cc-custom-security-group
  --description "Web Traffic Security Group"
  --vpc-id vpc-abcdabcd

04 The command output should return the ID of the new, custom security group:

{
    "GroupId": "sg-0abcdabcdabcdabcd"
}

05 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the inbound information from the default security group to the new, custom security group. Run the authorize-security-group-ingress command as many times as needed and change the --protocol, --port and --cidr parameter values in order to create all the inbound/ingress rules defined for the default security group (if successful, the command does not produce an output):

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --protocol tcp
  --port 80
  --cidr 0.0.0.0/0

06 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter, to transfer the outbound information from the default security group to the new, custom security group. Run the authorize-security-group-egress command as many times as needed and change the --ip-permissions parameter values in order to create all the outbound/egress rules defined for the default security group (the command does not produce an output):

aws ec2 authorize-security-group-egress
  --region us-east-1
  --group-id sg-0abcdabcdabcdabcd
  --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'

07 Run modify-instance-attribute command (OSX/Linux/UNIX) using the ID of the Amazon EC2 that you want to reconfigure as the identifier parameter, to replace the default security group with the custom one created at step no. 3. Make sure that you add any other compliant security groups, associated with the EC2 instance, to the --groups command parameter (if successful, the command does not produce an output):

aws ec2 modify-instance-attribute
  --region us-east-1
  --instance-id i-0abcdabcdabcdabcd
  --groups sg-01234abcd1234abcd sg-0abcdabcdabcdabcd

08 Repeat step no. 7 for each Amazon EC2 instance associated with the default security group, available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.