Should AWS Security groups allow internet traffic?
Ok, so I created a default Elastic Beanstalk Application and getting this reported as High Risk, and happens on all Regions that are connected to the VPC Network (which is not a public IP, only the Load Balancer subnets are).
AWS Security groups allow internet traffic
The site is public, so shouldn't this be normal? Or is there a way to not allow Security Groups internet traffic and still keep the site publicly visible to users who visit it? I'm just not sure if there is a way to fix this High Security Risk that's being reported. Is this an actual Security Risk? If so, any idea how to fix this problem? I am also receiving the following Security Risk here:
AWS Default Security Group does not restrict all traffic
Why would I want to restrict all traffic? Is there a way to do this and still make the site publicly visible on the internet? Please note, running a wordpress site.
Should this not allow Internet Access? Sorry if this is a dumb question.
And seeing this as well:
AWS EC2 instances with Public IP and associated with Security Groups have Internet Access
I don't think these instances need access to the internet to be displayed on the internet, but not sure how to fix this.
EDIT Here are my Security Groups inbound and outbound rules:
Do I need to remove the Inbound Rule for this in order to fix this, but still keep internet working on the site? This is the Security Group for the VPC Network, btw, is this the correct one?
Load Balancer Settings from EB here:
Solution 1:
AWS Security groups allow internet traffic
Normal for a web server
AWS Default Security Group does not restrict all traffic
Remove all the rules from the default security group, and use a custom security group.
Update: Best practice is not to use the default security group, and to remove all rules from that group. That way anything that uses the default security group is obviously using a default rather than a deliberate selection, which generally means it needs attention and to be changed to use an appropriate security group.
AWS EC2 instances with Public IP and associated with Security Groups have Internet Access
That's the whole point of it I think