MEDIUM VPC · CIS 5.4

Default security group restricts all traffic

Check ID: aws-vpc-005

AWS-VPC-005 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if the default security group of every VPC restricts all inbound and outbound traffic. Default security groups should have no rules to prevent unintended network access when resources are launched without a specific security group.

Why it matters

Every VPC has a default security group that cannot be deleted. When an EC2 instance, RDS database, or Lambda function in a VPC is launched without specifying a security group, it automatically gets the default security group. The default security group allows all inbound traffic from other resources in the same security group and all outbound traffic to any destination. This means any resource accidentally launched without a specific security group gets unrestricted network access within the VPC. In environments with sensitive workloads like databases, this creates unintended network paths that bypass intended network segmentation. Removing all rules from the default security group ensures that any misconfigured launch immediately fails connectivity, forcing engineers to explicitly assign the correct security group.

Common causes

The default security group rules are created automatically with every VPC and most teams never modify them. AWS console launches default to the default security group when no security group is selected, and many engineers do not notice this during manual deployments. Terraform and CloudFormation resources that omit the security group parameter silently inherit the default security group with its permissive rules.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# List current rules:
aws ec2 describe-security-groups --group-ids SG_ID --region REGION
# Remove default self-referencing ingress rule:
aws ec2 revoke-security-group-ingress --group-id SG_ID --source-group SG_ID --protocol all --region REGION
# Remove default egress allow-all rule:
aws ec2 revoke-security-group-egress --group-id SG_ID --ip-permissions '[{"IpProtocol":"-1","IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]' --region REGION

Remediation: Terraform

# Terraform can manage default SG rules:
resource "aws_default_security_group" "default" {
  vpc_id = "VPC_ID"
  # Empty ingress/egress blocks = deny all
}

Compliance mapping

This check maps to CIS 5.4 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related VPC checks

MEDIUM aws-vpc-001

Default VPC usage

CRITICAL aws-vpc-002

Open security groups

MEDIUM aws-vpc-003

VPC flow logs

← All checks