Ensure Security Groups do not have unrestricted access

Error: Security Groups have unrestricted access

Bridgecrew Policy ID: BC_AWS_NETWORKING_10
Severity: CRITICAL

Security Groups have unrestricted access

Description

Security groups are associated with your AWS EC2 instances and provide security at protocol and port access levels. Each security group works as a firewall, containing a set of rules that filter the ingress and egress traffic of an EC2 instance. There is no Deny rule in a security group: if there is no rule that explicitly permits a data packet, it is dropped.

We recommend you do not allow your AWS security groups unrestricted access to your EC2 instances. Unrestricted access becomes a pathway for various malicious activities and attacks. These security attacks include: hacking, denial-of-service attacks, loss of data, and more. It can hamper your daily operations and comprise the confidentiality of your cloud environment.

We also recommend that you restrict access to most ports in your security groups, exceptions include common security ports such as:

  • Port 25 (Simple Mail Transfer Protocol (SMTP))
  • Port 80 (Hyper Text Transfer Protocol)
  • Port 443 (standard TCP protocol for websites using SSL).