Json Yaml Default Security Group Used
Description
Detects when AWS EC2 instances or launch templates are configured to use the default VPC security group in CloudFormation templates. Using the default security group is considered insecure as it may have overly permissive rules and does not follow the principle of least privilege.
Detection Strategy
• Scans CloudFormation template files for EC2-related resources (AWS::EC2::Instance and AWS::EC2::LaunchTemplate)
• Identifies if the security group configuration references or implies usage of the default VPC security group
• Reports a vulnerability when an EC2 instance or launch template resource is found using the default security group configuration
Vulnerable code example
{
"Resources": {
"VulnerableEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-123456", // Vulnerable: No security group specified
"KeyName": "mykey" // Instance exposed without network security controls
}...✅ Secure code example
{
"Resources": {
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Restricted security group",
"SecurityGroupIngress": [
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.