[Bug]: ec2_securitygroup_default_restrict_traffic Triggers on unused, default security groups

[rieck-srlabs]

Steps to Reproduce

Run a prowler aws scan that includes the ec2_securitygroup_default_restrict_traffic check against a new account with no resources configured:

prowler aws --checks ec2_securitygroup_default_restrict_traffic

Expected behavior

The AWS check ec2_securitygroup_default_restrict_traffic should not produce FAIL findings, as there are no resources subject to a security group and no security groups have been created by the user.

Actual Result with Screenshots or Logs

Prowler produces a FAIL result for every default security group of every default VPC.

jq -r --arg CHECK_ID 'ec2_securitygroup_default_restrict_traffic' '.[] | select(.metadata.event_code == $CHECK_ID and .status_code == "FAIL") | .resources[0].region' < prowler-output-058264404402-20240523105507.ocsf.json
ap-northeast-1
ap-northeast-2
ap-northeast-3
ap-south-1
ap-southeast-1
ap-southeast-2
ca-central-1
eu-central-1
eu-north-1
eu-west-1
eu-west-2
eu-west-3
sa-east-1
us-east-1
us-east-2
us-west-1
us-west-2

The VPCs are completely unused and do not even have a public IP.

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Workstation

OS used

macOS

Prowler version

4.1.0

Pip version

24.0

Context

AWS automatically creates a default VPC in every region. For every VPC, AWS creates a default security group.

The default security group has no ingress or egress rules associated with it -- it allows all traffic.

However,
a) the VPC is unused by default,
b) the VPC does not automatically have a public IP associated with it, even if it contains resources,
c) security groups are just one way to restrict access to resources in AWS, not the only one

I don't think it's sensible to produce ~20 High FAILs for an empty AWS account.

Note: a previous version of this check instead checked if the security group "is open to the Internet". In some sense, this makes more sense to me. See #2761 for background on why this was changed.

[jfagoagas]

Hi @rieck-srlabs I think this check is a good candidate for the --scan-unused-services because it is not good to have a default security group with rules in it and by default it allows ingress traffic from itself and egress traffic to the Internet -- https://docs.aws.amazon.com/vpc/latest/userguide/default-security-group.html.

I think we can improve it using that flag or maybe checking if it is attached to something. What do you think?

CC: @sergargar

[rieck-srlabs]

Yes, I was just about to propose exactly this.

My current way to validate findings is to

1. check if there is a network interface associated with the security group, and
2. additionally see if that network interface is publicly accessible.

I'm not certain if these checks are sufficient to identify 'unused services' though.

[MrCloudSec]

Hi @rieck-srlabs, I have added the logic of checking if the default security group is in used (by checking if it has any network interface attached) and if its VPC is also in used.