Amazon EC2

Default Security Groups In Use

This plugin ensures the default security groups block all traffic by default.

Risk Level: Medium

Description

This plugin ensures the default security groups block all traffic by default. The default security group is often utilized by resources launched without explicitly defining a security group. As a good security measure, it is recommended that default security groups deny all inbound traffic by default.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

Security Groups act as a firewall for the EC2 instances to control the incoming and outgoing traffic. There are rules defined under security groups that can allow specific IP addresses to access the EC2 instance with the protocol and the Ports specified.

In the absence of proper restriction with the inbound rules, resources using default security groups can accidentally expose themselves.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Security Group in the Network and Security section from the left navigation pane.
  4. From the list of security groups, choose the group whose Security Group Name is set to “default” by clicking on its Security group ID.
  5. The Inbound rules tab will be selected which has a list of rules for the security group. If there are any rules, the default Security Group does not block all traffic by default.
  6. Repeat steps 4 to 5 for all the Security Groups you want to investigate.

Steps for Remediation

Update the rules for the default security group to deny all traffic by default:

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Security Group in the Network and Security section from the left navigation pane.
  4. You will find a list of Security Groups available. From the list, choose the vulnerable security group by clicking on its Security group ID.
  5. The Inbound rules tab will be selected along with a list of rules for the security group. Click on the Edit Inbound Rules button on the right.
  6. From the list of rules with insecure Port range, click on the Delete button for all the inbound rules. 
  7. Click on Preview Changes to preview the changes, and Save rules to save them.
  8. Repeat steps 4 to 8 for all the Security Groups you want to fix.