AWS-017 Amazon Web Services (AWS)

Default security group of every VPC restricts all traffic.

Default security group of every VPC restricts all traffic.

Domain
Amazon Web Services (AWS)
Area
Networking
Automated / manual
Automated

Risk if it fails

Defaults often left wide open.

Resources accidentally placed in the default group can become exposed without anyone intending it, creating a silent open door.

How Tess tests it

1 test — each concludes only on cited evidence.

Default security group of every VPC restricts all traffic.

Automated
Procedure
Confirm default SGs have no allow rules.

Read-only command 

aws ec2 describe-security-groups --filters Name=group-name,Values=default --query 'SecurityGroups[].{VPC:VpcId,In:IpPermissions,Out:IpPermissionsEgress}'

More in Amazon Web Services (AWS)

AWS-001 Root account MFA is enabled. AWS-002 No access keys exist on the root account. AWS-003 Root account is not used for day-to-day activity. AWS-004 Strong IAM password policy is enforced.

Want Tess to test AWS-017 against your evidence?

Book a demo