As per AWS docs, a default security group:
- Allows inbound traffic from all resources that are assigned to this security group. The source is the ID of this security group.
- Allows all outbound IPv4 traffic.
A recent pentest, however, has recommended that upon creation default security groups should instead restrict all traffic. Is there a way to set this as a standard across an account or organisation? I don't want to have to manually update individual security groups via console or CLI.
A good practice when you create a new account is to create a new VPC, and the associated subnets and security groups using a template and drop the default ones. You can do all that with a mix of CLI and CloudFormation.
You can also run compliance checks using AWS Config to regularly check that your accounts respect this policy (default security group does allow all inbound and outbound traffic).