Default Security Group Check
Rule Details
Parameter |
Description |
---|---|
Rule Name |
vpc-default-sg-closed |
Identifier |
Default Security Group Check |
Description |
If a default security group allows any inbound or outbound traffic, it is considered non-compliant. |
Tag |
vpc |
Trigger Type |
Configuration change |
Filter Type |
vpc.securityGroups |
Rule Parameters |
None |
Application Scenarios
When you use security groups for the first time, the system automatically creates a default security group. For details, see Default Security Groups Although default security groups provide basic network access control, they usually have loose control and cannot meet complex and customized security requirements. You are advised to create custom security groups according to application requirements, specify the allowed traffic types and ports, and strictly follow the principle of least privilege. You should disable the outbound and inbound traffic for the default security group. This prevents incorrect configurations that can expose your resources.
Solution
Modify the security group rules. Delete the security group rules whose policy is Allow in the default security group.
Rule Logic
- All non-default security groups are compliant.
- If a default security group denies all inbound or outbound traffic, it is considered compliant.
- If a default security group allows any inbound or outbound traffic, it is considered non-compliant.

A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot