No risk associated with "Non-empty rulesets for default security groups"
andresriancho opened this issue · comments
This flags when there is a security group that contains default in the name, and has rules. What is the risk? The only thing I see wrong here is that the devops guy didn't change the name to default -> bad cloud infrastructure documentation.
What am I missing?
PS: Reporting with the intention to a) learn, b) remove the check if it doesn't make sense.
A default SG (called "default") is created for each VPC. These SGs come with rules which allow all inbound traffic from instances assigned to the same security group, as well as all outbound traffic.
The default security group is assigned to new instances created within a VPC if no custom security groups are assigned to it during configuration.
These default rules may be overly permissive, for instance allowing an attacker who has compromised one instance with the default security group assigned to use horizontal privilege escalation to compromise all other instances configured with the default security group.
In order to improve system hardening, you should remove all rules from the default security groups so that they restricts all traffic. Should an instance be created without custom security groups, it will inherit the default security group and be unable to communicate with other instances within the VPC until the required custom security groups are assigned.
The rule you mentioned could/should be improved by making sure the rules for SGs named "default" are indeed the default rules, and haven't been modified to be more restrictive.
Closing as already included in https://github.com/nccgroup/Scout2/issues/281.