pataiji/default_sg_restrict_all_traffic.sh

## default_sg_restrict_all_traffic.sh
#!/bin/bash

# * EC2.2 The VPC default security group should not allow inbound and outbound traffic
#  * https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#ec2-2-remediation
# * 4.3 Ensure the default security group of every VPC restricts all traffic
#   * https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#cis-4.3-remediation

regions=$(aws ec2 describe-regions --query Regions[*].RegionName --output text)
for region in ${regions[@]}
do
  groupIds=$(aws ec2 describe-security-groups --region "$region" | jq -r '.SecurityGroups[] | select(.GroupName == "default") | .GroupId')
  if [ -n "$groupIds" ]; then
    echo "default group found: $groupIds"

    for groupId in ${groupIds[@]}
    do
      ingress=$(aws ec2 describe-security-groups  --region "$region" --group-id "$groupId" | jq -r '.SecurityGroups[].IpPermissions')
      if [ "$ingress" = '[]' ]; then
        echo "ingress not found"
      else
        echo "ingress found: $ingress"
        AWS_PAGER="" aws ec2 revoke-security-group-ingress --region "$region" --group-id "$groupId" --ip-permissions "$ingress"
      fi

      egress=$(aws ec2 describe-security-groups --region "$region" --group-id "$groupId" | jq -r '.SecurityGroups[].IpPermissionsEgress')
      if [ "$egress" = '[]' ]; then
        echo "egress not found"
      else
        echo "egress found: $egress"
        AWS_PAGER="" aws ec2 revoke-security-group-egress --region "$region" --group-id "$groupId" --ip-permissions "$egress"
      fi
    done
  else
    echo "default group not found"
  fi
done
	#!/bin/bash

	# * EC2.2 The VPC default security group should not allow inbound and outbound traffic
	# * https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#ec2-2-remediation
	# * 4.3 Ensure the default security group of every VPC restricts all traffic
	# * https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#cis-4.3-remediation

	regions=$(aws ec2 describe-regions --query Regions[*].RegionName --output text)
	for region in ${regions[@]}
	do
	groupIds=$(aws ec2 describe-security-groups --region "$region" \| jq -r '.SecurityGroups[] \| select(.GroupName == "default") \| .GroupId')
	if [ -n "$groupIds" ]; then
	echo "default group found: $groupIds"

	for groupId in ${groupIds[@]}
	do
	ingress=$(aws ec2 describe-security-groups --region "$region" --group-id "$groupId" \| jq -r '.SecurityGroups[].IpPermissions')
	if [ "$ingress" = '[]' ]; then
	echo "ingress not found"
	else
	echo "ingress found: $ingress"
	AWS_PAGER="" aws ec2 revoke-security-group-ingress --region "$region" --group-id "$groupId" --ip-permissions "$ingress"
	fi

	egress=$(aws ec2 describe-security-groups --region "$region" --group-id "$groupId" \| jq -r '.SecurityGroups[].IpPermissionsEgress')
	if [ "$egress" = '[]' ]; then
	echo "egress not found"
	else
	echo "egress found: $egress"
	AWS_PAGER="" aws ec2 revoke-security-group-egress --region "$region" --group-id "$groupId" --ip-permissions "$egress"
	fi
	done
	else
	echo "default group not found"
	fi
	done