Add option to clear default security group rules

[sirket]

The default security group is wide open to itself but this will show up during many security audits. As the default security group really shouldn't be used for anything- would it make sense to clear the rules either by default- or at least provide an option to do so?

e.g.

resource "aws_default_security_group" "default" {
count = "${var.create_vpc && var.disable_default_sg ? 1 : 0}"

vpc_id = "${aws_vpc.this.id}"
}

[bcwilsondotcom]

I'm running into this. The default security group is wide open to itself, and this goes against CIS standards, which you'll run into if you use Security Hub and subscribe to CIS standards.

[lorengordon]

Running into the CIS findings on this also. I think I'd prefer to see an option to manage the ingress/egress rules, for use cases that do actually use the default security group.

[bryantbiggs]

hey all - I've got a PR up that should work for this. stay tuned!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.