Cloud team example: Changing VPC configurations - AWS Prescriptive Guidance

Cloud team example: Changing VPC configurations

The cloud team is responsible for triaging and remediating security findings that have common trends, such as changes to AWS default settings that might not suit your use case. These findings tend to affect many AWS accounts or resources, such as VPC configurations, or they include a restriction that should be placed across the entire environment. For the most part, the cloud team makes manual, one-time changes, such as adding or updating a policy.

After your organization has used an AWS environment for some time, you might find a set of anti-patterns developing. An anti-pattern is a frequently used solution for a recurring issue where the solution is counter-productive, ineffective, or less effective than an alternative. As an alternative to these anti-patterns, your organization can use environment-wide restrictions that are more effective, such as AWS Organizations service control policies (SCPs) or IAM Identity Center permissions sets. SCPs and permissions sets can provide additional restrictions for resource types, such as preventing users from configuring a public Amazon Simple Storage Service (Amazon S3) bucket. Although it can be tempting to restrict every possible security configuration, there are policy size limits for SCPs and permissions sets. We recommend a balanced approach to preventative and detective controls.

The following are some controls from the AWS Security Hub Foundational Security Best Practices (FSBP) standard that the cloud team might be responsible for:

For this example, the cloud team is addressing a finding for FSBP control EC2.2. The documentation for this control recommends not using the default security group because it allows broad access through the default inbound and outbound rules. Because the default security group cannot be deleted, the recommendation is to change the rule settings to restrict inbound and outbound traffic. To efficiently address this issue, the cloud team should use established mechanisms to modify the security group rules for all VPCs because each VPC has this default security group. In most cases, cloud teams manage VPC configurations by using AWS Control Tower customizations or an infrastructure as code (IaC) tool, such as HashiCorp Terraform or AWS CloudFormation.