Technical Tip: Agentless deployment creates default security group inbound rule allows to any services
Description | This article describes the creation of a default security group rule during FortiCNAPP Agentless deployment using AWS CloudFormation, which may trigger security posture alerts in external monitoring systems or FortiCNAPP’s own policies. |
Scope | FortiCNAPP Agentless deployment using AWS CloudFormation. |
Solution | During Agentless deployment in AWS, a dedicated VPC and security group resources are created. Due to AWS CloudFormation behavior during provisioning, the newly created VPC's default security group may be associated with the FortiCNAPP Agentless scanning cluster. By default, AWS creates inbound and outbound rules for the default security group. The default inbound rule allows traffic from other resources associated with the same security group, which may trigger security posture alerts. Additionally, the FortiCNAPP deployment modifies outbound rules to restrict egress traffic to TCP port 443 only. This outbound connectivity is required for the Agentless scanner service component to securely communicate with Lacework backend services and transmit collected workload metadata for analysis. To remediate such alerts, remove the default inbound rule from the default security group after deployment. This can be done through the AWS Management Console or AWS CLI. AWS Console:   AWS CLI: Related document: Agentless workload scanning for AWS - single account integration using CloudFormation |