For each VPC created in AWS, a default security group is always automatically created, in this security group there is an inbound rule that allows access to all protocols and ports of the security group itself as source and it also has an outbound rule that allows access to all protocols and ports to the internet as source.
Following good security practices, it is not recommended to use default security groups associated with AWS resources, but rather to create custom security groups with least privileges for these resources.
The objective of this post is to present a script to delete all inbound and outbound rules from the default security groups of all VPCs and regions in an AWS account.
This makes the use of default security groups useless and will reduce AWS compliance security alerts for default security group that does not restrict all traffic.
It is important to remove the association of AWS resources with the default security group if used, to find out if it is being used by an AWS resource you can consult the network interfaces according to this post.
To run the code above you need to install python 3 with dependency boto3 and configure your AWS credentials:
| import boto3 | |
| regions = ['ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-north-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'] | |
| def delete_sg_rule_ingress(sg_id, ingress_rule): | |
| sg_rv_ingress_rule_response = ec2_client.revoke_security_group_ingress( | |
| GroupId=sg_id, | |
| IpPermissions=ingress_rule | |
| ) | |
| if sg_rv_ingress_rule_response['Return']: | |
| print(f'{sg_id} ingress rules deleted') | |
| def delete_sg_rule_egress(sg_id, egress_rule): | |
| sg_rv_egress_rule_response = ec2_client.revoke_security_group_egress( | |
| GroupId=sg_id, | |
| IpPermissions=egress_rule | |
| ) | |
| if sg_rv_egress_rule_response['Return']: | |
| print(f'{sg_id} egress rules deleted') | |
| def describe_sg(): | |
| default_sgs = [] | |
| paginator = ec2_client.get_paginator('describe_security_groups') | |
| response_iterator = paginator.paginate() | |
| for page in response_iterator: | |
| for sg in page['SecurityGroups']: | |
| if 'default' in sg.get('GroupName'): | |
| default_sgs.append([sg['GroupId'], sg['IpPermissions'], sg['IpPermissionsEgress']]) | |
| return default_sgs | |
| if __name__ == '__main__': | |
| for region in regions: | |
| ec2_client = boto3.client('ec2', region_name=region) | |
| default_sgs = describe_sg() | |
| for sg_id, ingress_rule, egress_rule in default_sgs: | |
| if ingress_rule: | |
| delete_sg_rule_ingress(sg_id, ingress_rule) | |
| if egress_rule: | |
| delete_sg_rule_egress(sg_id, egress_rule) |
Note 1: Default security groups always have the name "default" and it is not possible to create a security group with that same name, so there is no chance of deleting rules from other security groups.
Note 2: In regions used in your AWS account, it may make sense to manually evaluate the update of the default security group via network interfaces, so in this case it is recommended to exclude the elements (regions) from the regions variable array.
Note 3: This will not prevent more non-restricted default security groups from being created, to accomplish this you can add configuration parameters to your infrastructure as code, as this terraform resource.
Top comments (0)