VPC default security group has no inbound or outbound rules
ec2_securitygroup_default_restrict_traffic
Default VPC security group should have no inbound or outbound rules. This evaluates whether the group allows any traffic-ingress, egress, or self-referencing-instead of remaining empty.
Risk
Permissive rules in the default security group mean instances that inherit it can communicate widely. This enables lateral movement, port scanning, and data exfiltration; unrestricted egress aids C2. Confidentiality and integrity are reduced, and the blast radius of a compromise grows.
prowler aws --checks ec2_securitygroup_default_restrict_traffic
Recommendation
Enforce least privilege: keep the default group empty by removing all ingress and egress rules. Use dedicated security groups per workload with explicit sources, destinations, and ports. Regularly review for broad CIDRs like 0.0.0.0/0 and apply defense in depth via automation and policy guardrails.
Remediation
- Open the AWS Console and go to VPC > Security > Security groups
- Select the security group named "default" for the affected VPC
- In Inbound rules, click Edit inbound rules, delete all rules, and Save
- In Outbound rules, click Edit outbound rules, delete all rules, and Save
- Repeat for each VPC that has this finding
Source Code
Resource Type
AwsEc2SecurityGroup