How to Configure AWS Default Security Group to Not Allow All Traffic (CIS 4.3 Compliance)

Tadashi Shigeoka ·  Thu, July 15, 2021

I’ll introduce how I deleted all inbound and outbound rules from AWS default security groups to configure them not to allow all traffic.

AWS

Background: Want to Disable AWS Default Security Group

CIS 4.3 Default security group does not allow all traffic

・Alert criteria  ・When rules are set in the default security group  ・When there are EC2 instances using the default security group ・The default security group is automatically created when a VPC is created, and if you don’t specify a security group when launching an instance, that instance is automatically associated with the default security group ・To ensure intended configuration, avoid using the default security group ・Prepare security groups other than the default security group and attach them to EC2 ・Remove outbound and inbound rules from the default security group and detach it if it’s attached to instances ・Response procedure is here: VPC のセキュリティグループ - Amazon Virtual Private Cloud

Japanese: ・アラート基準  ・defaultセキュリティグループにルールが設定されている場合  ・defaultセキュリティグループを利用しているEC2インスタンスがある場合 ・defaultセキュリティグループは、VPC作成時に自動で作成され、インスタンスを起動するときにセキュリティグループを指定しないと、そのインスタンスはデフォルトのセキュリティグループに自動的に関連付けられます ・意図した設定を行うためdefaultセキュリティグループの利用を避けます ・defaultセキュリティグループ以外のセキュリティグループを用意し、EC2へアタッチしてください ・defaultセキュリティグループからアウトバウンド・インバウンドルールを削除し、インスタンスにアタッチしている場合はデタッチしてください

Source: CIS 4.3 defaultセキュリティグループが全ての通信を許可していないこと

Since it’s not recommended to keep AWS default security groups in a communicable state, I decided to delete them.

Manually Disable Default Security Group

AWS Default Security Group Deletion Steps

  1. Open [EC2] - [Network & Security] - [Security Groups] in AWS Console
  2. Delete the [Inbound rules], [Outbound rules] of the default security group

I performed the above steps by switching regions one by one from the US East (N. Virginia) us-east-1 security group settings page and deleted all of them.

Automatically Disable Default Security Group

There seems to be a way to automatically disable AWS default security groups, but I haven’t implemented it myself.

Thoughts: Want AWS to Be Secure by Default

Below are my personal requests to AWS.

  • I want regions to be disabled by default since most regions are unused
  • I don't want default security groups to be provided by default since having them in a vulnerable state is undesirable

That’s all from the Gemba.