Inbound/Outbound Rules for The Default Security Group
According to the trusted advisor security check, my default security group should not allow all traffic as inbound and outbound. What is the best practice here?
- Language
- English
- Newest
- Most votes
- Most comments
Generally as a best practice, you should not have inbound rules on the default security group, as it can easily happen that you accidentally assign it to new instances (and thus expose them). For inbound rules in your security groups, you should only specify the port/protocol that you really need for your application to work. E.g. 443/TCP from 0.0.0.0/0 if you have a public HTTPS webserver. Note that security groups are stateful, so you don't need any inbound rules for traffic that is initiated by your instance.
By default a security group has no outbound rules, which actually means outbound is "all traffic"! In my opinion AWS stuffed up a bit here, how does it make sense from a least-privilege perspective to default "all open" like this when you don't specify anything?
I would strongly recommend you don't keep that default behaviour, and specify only the outbound traffic that you need. If you don't need any outbound at all then use this rule as recommended by AWS:
SecurityGroupEgress:
- CidrIp: 127.0.0.1/32
IpProtocol: '-1'
Also for your inbound rules, restrict them to only what's needed. If you're allowing internet traffic you may need 0.0.0.0/0, but you can still restrict the ports e.g. to just HTTPS.
Relevant content
- AWS OFFICIALUpdated 5 months ago
I restricted the inbound rules to accept SSH connections from my local subnets. Is that good practice?
Yes that's good practice. Even better though is to block SSH and set things up to use Systems Manager Session Manager instead. See https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html.