Default Security Groups have Unrestricted Access

Tenacity Id

Risk Level




Last Updated:

April 21, 2022

A default AWS Security Group contains an inbound rule that allows source address of or ::/0. Unrestricted inbound access is inherently insecure and creates a broad attack surface for potentially any device on the internet to exploit. A default security group is created when an AWS Virtual Private Cloud (VPC) is created and is configured for open inbound and outbound access. AWS Elastic Compute Cloud (EC2) instances will be assigned to the default security group when created if no other security group is assigned. Default security groups cannot be deleted. This creates an inherent vulnerability that should be mitigated. Avoid using the default Security Group. Remove the inbound rule allowing any source address and port ( or ::/0) in the default Security Group. Configure the default Security Group with the minimum required set of inbound rules (e.g. none or SSH only from a bastion host).