Ensure the default security group of every VPC restricts all traffic

4.3 Networking (AWS CIS Benchmark).


A VPC comes with a default security group whose initial settings:

  • Deny all inbound traffic
  • Allow all outbound traffic
  • Allow all traffic between instances assigned to the security group.

If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources.

It is recommended that the default security group restrict all traffic.

The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation.

Implement the prescribed state via the AWS Management Console

Step 1. Identify the AWS resources that exist within the default security group.

Step 2. Create a set of least privilege security groups for those resources.

Step 3. Place the resources in those security groups.

Step 4. Remove the resources noted in #1 from the default security group Security Group State

Step 5. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home.

Step 6. Repeat the next steps for all VPCs, including the default VPC in each AWS region.

Step 7. In the left pane, click on Security Groups.

Step 8. For each default security group, perform the following:

  • Select the default security group.
  • Click on the Inbound Rules tab.
  • Remove any inbound rules.
  • Click on the Outbound Rules tab.
  • Remove any outbound rules.

Recommended: IAM groups allow you to edit the "name" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES."