Support managing the default security group for vpc

[shayfisher]

Currently there is now way to manage the default security group and have it remove the default egress rule. Aws best practices suggest that default security will have no rules (both for egress and ingress). Please add this feature so we could created VPCs that are compliant with best practices. Thank you!

[drewmullen]

Hello! thanks for your question. Hmm, I wonder if removing an AWS account default regarding a different VPC should be considered part of creating a atomic VPC. I would argue that is a separate concern and should be addressed at the account level and not at a atomic vpc level.

[shayfisher]

Hey @drewmullen For each vpc you create you would get a default security group created with a default egress rule I’m referring to that fact and I would like to make sure each vpc is created as the standard recommends I guess it is a matter of an atomic VPC creation action

what do you think?

[pablo19sc]

Hi! Adding my thoughts in this thread as well :)

Here are two things to think about:

1. Support for SG management in the module. As this module is intended to manage the infrastructure and not the security of the application, we didn't add support for SGs - and you can ofc have that management by using data sources as a wrapper in a private module.
2. As @drewmullen mentioned, can this be addressed as an Account/Organization level? Meaning having an SCP in AWS Organizations where the default SG cannot be used. Therefore, even if this resource is created by default, no EC2 instance can use it.