AFT VPC default security group should have no inbound/outbound rules

[domestic-fennec]

Describe the outcome you'd like

The default sg for the AFT VPC should have no inbound or outbound rules so that it follows AWS Foundational Security Best Practices

Is your feature request related to a problem you are currently experiencing? If so, please describe.

AWS security hub (and other cloud infosec tools) generate security warnings when setting up the AFT.

Additional context

Please note that I'm referring to the default security group that all VPC's have, not the aft-default-sg one thats created here

Having done some limited research into this, it seems that using the aws_default_security_group resource with no egress and ingress blocks is a way of fixing this.

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.aft_vpc.id
}

[balltrev]

Thanks for the request @domestic-fennec, I'll make a backlog with the team to discuss this enhancement.

[azbpa]

we are facing the same issue in our current production environment and would like to see this fixed soon as well. Thanks in advance.

[ghost]

As of now, any account using AFT will trigger the AWS Security Hub Control EC2.2

It would be much appreciated if this could be resolved. Especially if nothing is using the default group, and everything is instead using the aft-default-sg.

Adding the relevant documentation from the AWS Security Hub Controls Reference

[EC2.2] The VPC default security group should not allow inbound and outbound traffic

Related requirements: PCI DSS v3.2.1/1.2.1,PCI DSS v3.2.1/1.3.4,PCI DSS v3.2.1/2.1, CIS AWS Foundations Benchmark v1.2.0/4.3, CIS AWS Foundations Benchmark v1.4.0/5.3, NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(5)

Category: Protect > Secure network configuration
Severity: High
Resource type: AWS::EC2::SecurityGroup
AWS Config rule: vpc-default-security-group-closed

Schedule type: Change triggered

Parameters: None

This control checks that the default security group of a VPC does not allow inbound or outbound traffic.

The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group.

We do not recommend using the default security group. Because the default security group cannot be deleted, you should change the default security group rules setting to restrict inbound and outbound traffic. This prevents unintended traffic if the default security group is accidentally configured for resources such as EC2 instances.

https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2

Thank you!

[Sanjan611]

We've addressed this now in the latest release of AFT!

https://github.com/aws-ia/terraform-aws-control_tower_account_factory/releases/tag/1.12.0