Ensure AWS EC2 Instances Are Not Using the Default Security Group

Description:

Every VPC comes with a default security group, and any EC2 instance that you launch into a VPC is automatically associated with this default security group if you don't specify a different one. Relying on default settings can introduce security vulnerabilities, especially if changes are made to the default security group that unwittingly allow unwanted traffic.

Remediation:

1. Identify EC2 Instances Using the Default Security Group:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • In the navigation pane, choose Security Groups.
  • Identify the default security group (it will be named "default").
  • View the Inbound and Outbound rules for this security group to understand its permissions.
  • Go to the Instances section and view the associated security group for each instance. If any instance is associated with the default security group, it's using the default settings.
AWS CLI:

List EC2 instances associated with the default security group:

aws ec2 describe-instances --filters Name=instance.group-name,Values=default --query 'Reservations[*].Instances[*].[InstanceId]' --output table

2. Assign a Custom Security Group to EC2 Instances:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • Select the instance that's using the default security group.
  • Choose Actions, then Networking, and then Change Security Groups.
  • Deselect the default security group and select your custom security group.
  • Choose Assign Security Groups.
AWS CLI:

To modify the security group associated with a specific EC2 instance:

aws ec2 modify-instance-attribute --instance-id [INSTANCE_ID] --groups [CUSTOM_SECURITY_GROUP_ID]

Replace [INSTANCE_ID] with the instance ID and [CUSTOM_SECURITY_GROUP_ID] with the ID of your custom security group.

Terraform:

When defining EC2 instances in Terraform, explicitly set the vpc_security_group_ids attribute:

resource "aws_instance" "example" {
  # ... other configurations ...

  vpc_security_group_ids = [aws_security_group.custom.id]
}

resource "aws_security_group" "custom" {
  # Define your custom security group settings
}

3. Regularly Monitor and Audit:

  • Periodically review the EC2 instances and their associated security groups to ensure no instances revert to using the default security group.
  • Consider implementing AWS Config rules to automatically detect and alert when instances are associated with the default security group.

Recommendation:

Avoid relying on default settings and configurations in AWS, as they may not align with best security practices or organizational requirements. Always explicitly specify which security group an EC2 instance should belong to and regularly audit your infrastructure to ensure compliance. Using AWS Config or other monitoring tools can help automate this audit process.

Updated 5 months ago