andresriancho
commented
6 years ago PS: Reporting with the intention to a) learn, b) remove the check if it doesn't make sense.
Closed andresriancho closed 6 years ago
andresriancho
commented
6 years ago PS: Reporting with the intention to a) learn, b) remove the check if it doesn't make sense.
x4v13r64
commented
6 years ago A default SG (called "default") is created for each VPC. These SGs come with rules which allow all inbound traffic from instances assigned to the same security group, as well as all outbound traffic. The default security group is assigned to new instances created within a VPC if no custom security groups are assigned to it during configuration. These default rules may be overly permissive, for instance allowing an attacker who has compromised one instance with the default security group assigned to use horizontal privilege escalation to compromise all other instances configured with the default security group.
In order to improve system hardening, you should remove all rules from the default security groups so that they restricts all traffic. Should an instance be created without custom security groups, it will inherit the default security group and be unable to communicate with other instances within the VPC until the required custom security groups are assigned.
The rule you mentioned could/should be improved by making sure the rules for SGs named "default" are indeed the default rules, and haven't been modified to be more restrictive.
x4v13r64
commented
6 years ago Closing as already included in https://github.com/nccgroup/Scout2/issues/281.
https://github.com/nccgroup/Scout2/blob/15d20ce68c0c9328c583ff3ba172efc8326153c8/AWSScout2/rules/data/findings/ec2-default-security-group-with-rules.json
This flags when there is a security group that contains default in the name, and has rules. What is the risk? The only thing I see wrong here is that the devops guy didn't change the name to default -> bad cloud infrastructure documentation.
What am I missing?