Default Security Group Should Not Be Publicly Accessible
More Info:
Default security groups should block all traffic by default. EC2 instances should not be associated with default security groups with public access.Risk Level
MediumAddress
SecurityCompliance Standards
NISTTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of the default security group being publicly accessible in AWS, follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
- Navigate to the EC2 Dashboard: Click on the “Services” dropdown menu at the top left corner of the console, select “EC2” under the Compute section.
- Access the Security Groups: In the EC2 Dashboard, locate and click on the “Security Groups” option in the left-hand navigation pane.
- Identify the Default Security Group: Look for the default security group in the list of security groups. The default security group has the name “default” and is associated with all new instances that are launched in the VPC.
- Edit Inbound Rules: Click on the default security group to select it, and then navigate to the “Inbound Rules” tab at the bottom of the console.
- Remove Publicly Accessible Rules: Identify any inbound rules that allow unrestricted access from the internet (0.0.0.0/0 or ::/0) and remove them. This includes rules allowing SSH (port 22), RDP (port 3389), HTTP (port 80), HTTPS (port 443), etc.
- Add Necessary Rules: Add specific inbound rules that allow access only from trusted sources, such as your organization’s IP addresses or specific security groups within your VPC.
- Save the Changes: After making the necessary changes to the inbound rules, click on the “Save rules” button to apply the changes to the default security group.
- Verify Changes: Double-check the inbound rules to ensure that only necessary and restricted access is allowed to the default security group.
Using CLI
Using CLI
To remediate the misconfiguration of the default security group being publicly accessible in AWS, you can follow these steps using the AWS CLI:
- List all the security groups in your AWS account to identify the default security group:
- Get the Group ID of the default security group from the output of the above command.
- Update the inbound rules of the default security group to restrict access. You can remove the existing rules or update them to allow access only from specific IP ranges or security groups. For example, to remove all inbound rules from the default security group:
- Verify that the inbound rules have been updated successfully by describing the security group:
Using Python
Using Python
To remediate the misconfiguration of the default security group being publicly accessible in AWS using Python, you can follow these steps:
- Use the AWS SDK for Python (Boto3) to programmatically update the inbound rules of the default security group to restrict access.
- Here’s a sample Python script that demonstrates how to update the default security group to allow only specific IP ranges or ports:
-
Replace
'YOUR_IP_RANGE'with the specific IP range or port that you want to allow access to. You can add multiple rules as needed. - Run this Python script in your AWS environment with the necessary IAM permissions to update security groups.