If an Amazon EC2 instance is launched without specifying a custom security group, it will be automatically assigned the default security group. This is a common occurrence and can lead to security risks if the default security group allows unrestricted access. Attackers can exploit this vulnerability for malicious purposes, including hacking, brute-force attacks, or Denial-of-Service (DoS) attacks. To avoid these risks, it is important to ensure that your AWS cloud account provisions Amazon EC2 instances with custom and unique security groups. This can be achieved by avoiding association with default security groups created alongside VPCs and instead using security groups that exercise the Principle of Least Privilege.
To ensure that default security groups are not used in AWS, you can take the following remediation steps:
- Identify any Amazon EC2 instances, Amazon RDS instances, or other resources in your AWS account that are currently associated with default security groups.
- Create custom security groups that follow the principle of least privilege and provide the minimum required permissions for the resources they will protect.
- Assign the custom security groups to the resources identified in step 1, ensuring that no resources remain associated with default security groups.
- Remove the ingress and egress rules from the default security groups to ensure that they are not used for any resources in your AWS account.
- Delete the default security groups if they are no longer required or if they are not being used by any resources.
- Implement IAM policies and user training to prevent future use of default security groups and promote the use of custom security groups.
- Regularly monitor your AWS resources to ensure that no resources are using default security groups, and to check that custom security groups are configured correctly.
By following these remediation steps, you can ensure that default security groups are not used in your AWS account, reducing the risk of security breaches and unauthorized access to your resources.
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.