Default EC2 Security Group Allows Access

Overview

A default security group for a VPC allows ingress and/or egress access. The default security group is applied to any resource in a VPC that is not explicitly assigned a security group on creation (typically only possible using the CLI or APIs). The default group should deny all access and, ideally, never be used for resources. All resources should have a security group with appropriate permissions defined when they are created. Blocking all access in the default security group ensures that if a resource is created and accidentally not assigned an appropriate group, that it will default to no inbound or outbound access.

Vendor

AWS

Cloud Service

EC2

CIS AWS v1.5.0 5.4, EC2.2

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2

Severity

Item Types

AWS::EC2::SecurityGroup

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​