Detection rules › Panther
AWS VPC Default Security Group Restrictions
This policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1133 External Remote Services |
Rule body yaml
AnalysisType: policy
Filename: aws_vpc_default_security_restrictions.py
PolicyID: "AWS.VPC.DefaultSecurityGroup.Restrictions"
DisplayName: "AWS VPC Default Security Group Restrictions "
Enabled: true
ResourceTypes:
- AWS.EC2.VPC
Tags:
- AWS
- Security Control
- Initial Access:External Remote Services
Reports:
CIS:
- 4.3
PCI:
- 1.2.1
MITRE ATT&CK:
- TA0001:T1133
Severity: Low
Description: >
This policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic.
Runbook: >
https://docs.runpanther.io/alert-runbooks/built-in-policies/aws-vpc-default-security-group-restricts-all-traffic
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
#Tests:
# -
# Name: Default Security Group Has IP Permissions
# ExpectedResult: false
# Resource:
# {
# "CidrBlock": "172.31.0.0/16",
# "CidrBlockAssociationSet": [
# {
# "AssociationId": "vpc-cidr-assoc-112233",
# "CidrBlock": "172.0.0.0/16",
# "CidrBlockState": {
# "State": "associated",
# "StatusMessage": null
# }
# }
# ],
# "DhcpOptionsId": "dopt-1122e3344",
# "FlowLogs": null,
# "InstanceTenancy": "default",
# "Ipv6CidrBlockAssociationSet": null,
# "IsDefault": true,
# "NetworkAcls": [
# {
# "Associations": [
# {
# "NetworkAclAssociationId": "aclassoc-1122abc444",
# "NetworkAclId": "acl-123abc",
# "SubnetId": "subnet-123abc"
# },
# {
# "NetworkAclAssociationId": "aclassoc-123abc",
# "NetworkAclId": "acl-1122abc",
# "SubnetId": "subnet-112233aabb"
# }
# ],
# "Entries": [
# {
# "CidrBlock": "0.0.0.0/0",
# "Egress": false,
# "IcmpTypeCode": null,
# "Ipv6CidrBlock": null,
# "PortRange": null,
# "Protocol": "-1",
# "RuleAction": "deny",
# "RuleNumber": 12345
# }
# ],
# "IsDefault": true,
# "NetworkAclId": "acl-123aabb",
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# ],
# "OwnerId": "112233445566",
# "RouteTables": [
# {
# "Associations": [
# {
# "Main": true,
# "RouteTableAssociationId": "rtbassoc-1122aa33",
# "RouteTableId": "rtb-1122abc33",
# "SubnetId": null
# }
# ],
# "OwnerId": "112233445566",
# "PropagatingVgws": null,
# "RouteTableId": "rtb-11223344",
# "Routes": [
# {
# "DestinationCidrBlock": "0.0.0.0/0",
# "DestinationIpv6CidrBlock": null,
# "DestinationPrefixListId": null,
# "EgressOnlyInternetGatewayId": null,
# "GatewayId": "igw-abc123",
# "InstanceId": null,
# "InstanceOwnerId": null,
# "NatGatewayId": null,
# "NetworkInterfaceId": null,
# "Origin": "CreateRoute",
# "State": "active",
# "TransitGatewayId": null,
# "VpcPeeringConnectionId": null
# }
# ],
# "Tags": null,
# "VpcId": "vpc-11223344"
# }
# ],
# "SecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc123",
# "GroupName": "default",
# "IpPermissions": [
# {
# "FromPort": null,
# "IpProtocol": "-1",
# "IpRanges": null,
# "Ipv6Ranges": null,
# "PrefixListIds": null,
# "ToPort": null,
# "UserIdGroupPairs": [
# {
# "Description": null,
# "GroupId": "sg-abc123",
# "GroupName": null,
# "PeeringStatus": null,
# "UserId": "1122334455",
# "VpcId": null,
# "VpcPeeringConnectionId": null
# }
# ]
# }
# ],
# "IpPermissionsEgress": [
# {
# "FromPort": null,
# "IpProtocol": "-1",
# "IpRanges": [
# {
# "CidrIp": "0.0.0.0/0",
# "Description": null
# }
# ],
# "Ipv6Ranges": null,
# "PrefixListIds": null,
# "ToPort": null,
# "UserIdGroupPairs": null
# }
# ],
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-123454321"
# }
# ],
# "StaleSecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "StaleIpPermissions": null,
# "StaleIpPermissionsEgress": [
# {
# "FromPort": 5555,
# "IpProtocol": "tcp",
# "IpRanges": null,
# "PrefixListIds": null,
# "ToPort": 5555,
# "UserIdGroupPairs": [
# {
# "Description": null,
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "PeeringStatus": "deleted",
# "UserId": "123456789012",
# "VpcId": "vpc-abc111222333444",
# "VpcPeeringConnectionId": null
# }
# ]
# }
# ],
# "VpcId": "vpc-abc123"
# }
# ],
# "State": "available",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# -
# Name: Default Security Group Has Inbound IP Permissions
# ExpectedResult: false
# Resource:
# {
# "CidrBlock": "172.31.0.0/16",
# "CidrBlockAssociationSet": [
# {
# "AssociationId": "vpc-cidr-assoc-112233",
# "CidrBlock": "172.0.0.0/16",
# "CidrBlockState": {
# "State": "associated",
# "StatusMessage": null
# }
# }
# ],
# "DhcpOptionsId": "dopt-1122e3344",
# "FlowLogs": null,
# "InstanceTenancy": "default",
# "Ipv6CidrBlockAssociationSet": null,
# "IsDefault": true,
# "NetworkAcls": [
# {
# "Associations": [
# {
# "NetworkAclAssociationId": "aclassoc-1122abc444",
# "NetworkAclId": "acl-123abc",
# "SubnetId": "subnet-123abc"
# },
# {
# "NetworkAclAssociationId": "aclassoc-123abc",
# "NetworkAclId": "acl-1122abc",
# "SubnetId": "subnet-112233aabb"
# }
# ],
# "Entries": [
# {
# "CidrBlock": "0.0.0.0/0",
# "Egress": false,
# "IcmpTypeCode": null,
# "Ipv6CidrBlock": null,
# "PortRange": null,
# "Protocol": "-1",
# "RuleAction": "deny",
# "RuleNumber": 12345
# }
# ],
# "IsDefault": true,
# "NetworkAclId": "acl-123aabb",
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# ],
# "OwnerId": "112233445566",
# "RouteTables": [
# {
# "Associations": [
# {
# "Main": true,
# "RouteTableAssociationId": "rtbassoc-1122aa33",
# "RouteTableId": "rtb-1122abc33",
# "SubnetId": null
# }
# ],
# "OwnerId": "112233445566",
# "PropagatingVgws": null,
# "RouteTableId": "rtb-11223344",
# "Routes": [
# {
# "DestinationCidrBlock": "0.0.0.0/0",
# "DestinationIpv6CidrBlock": null,
# "DestinationPrefixListId": null,
# "EgressOnlyInternetGatewayId": null,
# "GatewayId": "igw-abc123",
# "InstanceId": null,
# "InstanceOwnerId": null,
# "NatGatewayId": null,
# "NetworkInterfaceId": null,
# "Origin": "CreateRoute",
# "State": "active",
# "TransitGatewayId": null,
# "VpcPeeringConnectionId": null
# }
# ],
# "Tags": null,
# "VpcId": "vpc-11223344"
# }
# ],
# "SecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc123",
# "GroupName": "default",
# "IpPermissions": [
# {
# "FromPort": null,
# "IpProtocol": "-1",
# "IpRanges": null,
# "Ipv6Ranges": null,
# "PrefixListIds": null,
# "ToPort": null,
# "UserIdGroupPairs": [
# {
# "Description": null,
# "GroupId": "sg-abc123",
# "GroupName": null,
# "PeeringStatus": null,
# "UserId": "1122334455",
# "VpcId": null,
# "VpcPeeringConnectionId": null
# }
# ]
# }
# ],
# "IpPermissionsEgress": null,
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-123454321"
# }
# ],
# "StaleSecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "StaleIpPermissions": null,
# "StaleIpPermissionsEgress": [
# {
# "FromPort": 5555,
# "IpProtocol": "tcp",
# "IpRanges": null,
# "PrefixListIds": null,
# "ToPort": 5555,
# "UserIdGroupPairs": [
# {
# "Description": null,
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "PeeringStatus": "deleted",
# "UserId": "123456789012",
# "VpcId": "vpc-abc111222333444",
# "VpcPeeringConnectionId": null
# }
# ]
# }
# ],
# "VpcId": "vpc-abc123"
# }
# ],
# "State": "available",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# -
# Name: Default Security Group Has No IP Permissions
# ExpectedResult: true
# Resource:
# {
# "CidrBlock": "172.31.0.0/16",
# "CidrBlockAssociationSet": [
# {
# "AssociationId": "vpc-cidr-assoc-112233",
# "CidrBlock": "172.0.0.0/16",
# "CidrBlockState": {
# "State": "associated",
# "StatusMessage": null
# }
# }
# ],
# "DhcpOptionsId": "dopt-1122e3344",
# "FlowLogs": null,
# "InstanceTenancy": "default",
# "Ipv6CidrBlockAssociationSet": null,
# "IsDefault": true,
# "NetworkAcls": [
# {
# "Associations": [
# {
# "NetworkAclAssociationId": "aclassoc-1122abc444",
# "NetworkAclId": "acl-123abc",
# "SubnetId": "subnet-123abc"
# },
# {
# "NetworkAclAssociationId": "aclassoc-123abc",
# "NetworkAclId": "acl-1122abc",
# "SubnetId": "subnet-112233aabb"
# }
# ],
# "Entries": [
# {
# "CidrBlock": "0.0.0.0/0",
# "Egress": false,
# "IcmpTypeCode": null,
# "Ipv6CidrBlock": null,
# "PortRange": null,
# "Protocol": "-1",
# "RuleAction": "deny",
# "RuleNumber": 12345
# }
# ],
# "IsDefault": true,
# "NetworkAclId": "acl-123aabb",
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# ],
# "OwnerId": "112233445566",
# "RouteTables": [
# {
# "Associations": [
# {
# "Main": true,
# "RouteTableAssociationId": "rtbassoc-1122aa33",
# "RouteTableId": "rtb-1122abc33",
# "SubnetId": null
# }
# ],
# "OwnerId": "112233445566",
# "PropagatingVgws": null,
# "RouteTableId": "rtb-11223344",
# "Routes": [
# {
# "DestinationCidrBlock": "0.0.0.0/0",
# "DestinationIpv6CidrBlock": null,
# "DestinationPrefixListId": null,
# "EgressOnlyInternetGatewayId": null,
# "GatewayId": "igw-abc123",
# "InstanceId": null,
# "InstanceOwnerId": null,
# "NatGatewayId": null,
# "NetworkInterfaceId": null,
# "Origin": "CreateRoute",
# "State": "active",
# "TransitGatewayId": null,
# "VpcPeeringConnectionId": null
# }
# ],
# "Tags": null,
# "VpcId": "vpc-11223344"
# }
# ],
# "SecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc123",
# "GroupName": "default",
# "IpPermissions": null,
# "IpPermissionsEgress": null,
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-123454321"
# }
# ],
# "StaleSecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "StaleIpPermissions": null,
# "StaleIpPermissionsEgress": [
# {
# "FromPort": 5555,
# "IpProtocol": "tcp",
# "IpRanges": null,
# "PrefixListIds": null,
# "ToPort": 5555,
# "UserIdGroupPairs": [
# {
# "Description": null,
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "PeeringStatus": "deleted",
# "UserId": "123456789012",
# "VpcId": "vpc-abc111222333444",
# "VpcPeeringConnectionId": null
# }
# ]
# }
# ],
# "VpcId": "vpc-abc123"
# }
# ],
# "State": "available",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# -
# Name: Default Security Group Has Outbound IP Permissions
# ExpectedResult: false
# Resource:
# {
# "CidrBlock": "172.31.0.0/16",
# "CidrBlockAssociationSet": [
# {
# "AssociationId": "vpc-cidr-assoc-112233",
# "CidrBlock": "172.0.0.0/16",
# "CidrBlockState": {
# "State": "associated",
# "StatusMessage": null
# }
# }
# ],
# "DhcpOptionsId": "dopt-1122e3344",
# "FlowLogs": null,
# "InstanceTenancy": "default",
# "Ipv6CidrBlockAssociationSet": null,
# "IsDefault": true,
# "NetworkAcls": [
# {
# "Associations": [
# {
# "NetworkAclAssociationId": "aclassoc-1122abc444",
# "NetworkAclId": "acl-123abc",
# "SubnetId": "subnet-123abc"
# },
# {
# "NetworkAclAssociationId": "aclassoc-123abc",
# "NetworkAclId": "acl-1122abc",
# "SubnetId": "subnet-112233aabb"
# }
# ],
# "Entries": [
# {
# "CidrBlock": "0.0.0.0/0",
# "Egress": false,
# "IcmpTypeCode": null,
# "Ipv6CidrBlock": null,
# "PortRange": null,
# "Protocol": "-1",
# "RuleAction": "deny",
# "RuleNumber": 12345
# }
# ],
# "IsDefault": true,
# "NetworkAclId": "acl-123aabb",
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
# ],
# "OwnerId": "112233445566",
# "RouteTables": [
# {
# "Associations": [
# {
# "Main": true,
# "RouteTableAssociationId": "rtbassoc-1122aa33",
# "RouteTableId": "rtb-1122abc33",
# "SubnetId": null
# }
# ],
# "OwnerId": "112233445566",
# "PropagatingVgws": null,
# "RouteTableId": "rtb-11223344",
# "Routes": [
# {
# "DestinationCidrBlock": "0.0.0.0/0",
# "DestinationIpv6CidrBlock": null,
# "DestinationPrefixListId": null,
# "EgressOnlyInternetGatewayId": null,
# "GatewayId": "igw-abc123",
# "InstanceId": null,
# "InstanceOwnerId": null,
# "NatGatewayId": null,
# "NetworkInterfaceId": null,
# "Origin": "CreateRoute",
# "State": "active",
# "TransitGatewayId": null,
# "VpcPeeringConnectionId": null
# }
# ],
# "Tags": null,
# "VpcId": "vpc-11223344"
# }
# ],
# "SecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc123",
# "GroupName": "default",
# "IpPermissions": null,
# "IpPermissionsEgress": [
# {
# "FromPort": null,
# "IpProtocol": "-1",
# "IpRanges": [
# {
# "CidrIp": "0.0.0.0/0",
# "Description": null
# }
# ],
# "Ipv6Ranges": null,
# "PrefixListIds": null,
# "ToPort": null,
# "UserIdGroupPairs": null
# }
# ],
# "OwnerId": "112233445566",
# "Tags": null,
# "VpcId": "vpc-123454321"
# }
# ],
# "StaleSecurityGroups": [
# {
# "Description": "default VPC security group",
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "StaleIpPermissions": null,
# "StaleIpPermissionsEgress": [
# {
# "FromPort": 5555,
# "IpProtocol": "tcp",
# "IpRanges": null,
# "PrefixListIds": null,
# "ToPort": 5555,
# "UserIdGroupPairs": [
# {
# "Description": null,
# "GroupId": "sg-abc567",
# "GroupName": "default",
# "PeeringStatus": "deleted",
# "UserId": "123456789012",
# "VpcId": "vpc-abc111222333444",
# "VpcPeeringConnectionId": null
# }
# ]
# }
# ],
# "VpcId": "vpc-abc123"
# }
# ],
# "State": "available",
# "Tags": null,
# "VpcId": "vpc-1234321"
# }
Detection logic
Rule logic imperative Python
from panther_aws_helpers import BadLookup, resource_lookup
def policy(resource):
default_id = f"arn:aws:ec2:{resource['Region']}:{resource['AccountId']}:security-group/{resource['DefaultSecurityGroupId']}"
try:
default_sg = resource_lookup(default_id)
except BadLookup:
return True
return default_sg["IpPermissions"] is None and default_sg["IpPermissionsEgress"] is None
The parser cannot express this rule's logic as a field filter; the imperative Python above is the detection.