Should AWS Security groups allow internet traffic?

amazon-web-services security-groups

Ok, so I created a default Elastic Beanstalk Application and getting this reported as High Risk, and happens on all Regions that are connected to the VPC Network (which is not a public IP, only the Load Balancer subnets are).

AWS Security groups allow internet traffic

The site is public, so shouldn't this be normal? Or is there a way to not allow Security Groups internet traffic and still keep the site publicly visible to users who visit it? I'm just not sure if there is a way to fix this High Security Risk that's being reported. Is this an actual Security Risk? If so, any idea how to fix this problem? I am also receiving the following Security Risk here:

AWS Default Security Group does not restrict all traffic

Why would I want to restrict all traffic? Is there a way to do this and still make the site publicly visible on the internet? Please note, running a wordpress site.

Should this not allow Internet Access? Sorry if this is a dumb question.

And seeing this as well:

AWS EC2 instances with Public IP and associated with Security Groups have Internet Access

I don't think these instances need access to the internet to be displayed on the internet, but not sure how to fix this.

EDIT Here are my Security Groups inbound and outbound rules: Security Group Inbound Security Group Outbound

Do I need to remove the Inbound Rule for this in order to fix this, but still keep internet working on the site? This is the Security Group for the VPC Network, btw, is this the correct one?

Load Balancer Settings from EB here:

Load Balancer


Solution 1:

AWS Security groups allow internet traffic

Normal for a web server

AWS Default Security Group does not restrict all traffic

Remove all the rules from the default security group, and use a custom security group.

Update: Best practice is not to use the default security group, and to remove all rules from that group. That way anything that uses the default security group is obviously using a default rather than a deliberate selection, which generally means it needs attention and to be changed to use an appropriate security group.

AWS EC2 instances with Public IP and associated with Security Groups have Internet Access

That's the whole point of it I think

Related

RD Gateway Manager cannot connect to local server
OpenVPN behind Nginx reverse proxy
How to rename the built-in Administrators group in Active Directory?
What does it mean "mounted image is 6.3, not 6.1"
What Exactly Do These "Kernel Audit" Entries in Logwatch Report Mean?
Install SSL certificate on AWS
sshd_config: Match for requested domain? [duplicate]
Slow network transfer on gigabit between Win7 and Ubuntu Samba (26 MB/s)
Setup Ad-hoc WIFI from terminal in OS X
Arch Linux - KVM - Sharing SSD and HDD between Arch and it's VMs
How to use public IPs from remote network in my local network
Explaining "Apply Once and never apply again" in plain English