AWS VPC Default Security Group Restricts All Traffic
This policy validates that the default Security Group for a given AWS VPC restricts all inbound and outbound traffic.
The principle of least privilege dictates that all traffic should be blocked unless explicitly needed, and it's recommended to create security groups for all categorizations of inbound/outbound traffic flows. Ensuring the default security group blocks all traffic enables this behavior by forcing all new EC2 instances to be moved off the default security group if they require internet access.
To remediate this, delete all inbound and outbound rules for all default security groups found in the report.
This could have wide ranging consequences if these default security groups are in use. Taking the actions listed below will break all network connectivity for any resources in these VPC's still using the default security group.
It is highly recommended to first migrate these resources off into dedicated security groups with the minimum access necessary to perform their roles configured. VPC Flow Logging can help profile current network usage, and inform what how to build the least privilege rules necessary to not break any instances in these VPCs.
- CIS AWS Benchmark 4.3 "Ensure the default security group of every VPC restricts all traffic"