myctrl.tools
Compare

SC-7(5)Deny By Default -- Allow By Exception

MODERATE
HIGH

>Control Description

Deny network communications traffic by default and allow network communications traffic by exception at managed interfaces; for [Assignment: organization-defined systems].

>Cross-Framework Mappings

SCF

NET-04.1
Compare

>Programmatic Queries

Beta

Related Services

Security Groups
Network ACLs
WAF

CLI Commands

Create security group with deny-by-default ingress rules
aws ec2 create-security-group --group-name default-deny-sg --description 'Deny by default security group' --vpc-id vpc-12345678
Add explicit allow rules for necessary exceptions
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 443 --cidr 10.0.0.0/8
Configure default deny network ACL rules
aws ec2 create-network-acl-entry --network-acl-id acl-12345678 --rule-number 100 --protocol -1 --cidr 0.0.0.0/0 --egress
Deploy AWS WAF with default deny rules for HTTP traffic
aws wafv2 create-web-acl --region us-east-1 --name default-deny-waf --scope REGIONAL --default-action Block={} --rules file://waf-rules.json
Open AWS ConsoleDocumentation

>Supplemental Guidance

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of deny by default -- allow by exception?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(5)?

Technical Implementation:

  • How is deny by default -- allow by exception technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that deny by default -- allow by exception remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(5)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.