AWS Config Rule: VPC Default Security Group Closed

Description: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic. The rule returns NOT_APPLICABLE if the security group is not default. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.

Trigger type: Configuration changes

AWS Region: All supported AWS regions

When constructing an AWS VPC - if you do not create a new Security Group, the VPC is then assigned a default security group.

The rule will check if that default Security Group has had any ingress or egress rules added to it, which will allow inbound and/or outbound traffic.

It is recommended that you do not use the AWS default security group, as this can prove a security issue. The default Security Group can also not be deleted.

To resolve this rule, it is advised that you move any ingress/egress to a new managed Security Group, and remove all rules from the default security group within your specific VPC. The default security group should then essentially not allow any inbound or outbound traffic.

You can resolve with StackZone by enabling the VPC Default Security Group Closed Remediation.

Go to Baseline Services > Config Rules Regional > Network > Remediation(s) and enable VPC Default Security Group Closed Remediation

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here