Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.01
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup should not have inboundRules with [scope = '0.0.0.0/0' and port<=22 and portTo>=22]

REMEDIATION

Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
From Portal

Login to the AWS Management Console and open Amazon VPC console https://console.aws.amazon.com/vpc/home
In the navigation pane, choose Security Groups.
For each security group, perform the following:
Select the security group
Click the Inbound Rules tab
Identify the rules to be removed
Edit the inbound rule, change the source cidr range or Delete the rule.
Click Save

From TF
Add CIDR range to restrict ingress access to port 22.

resource "aws_security_group" "test" {
    name        = "allow_tls4"
    description = "Allow TLS inbound traffic"
    
    ingress {
        description = "TLS from VPC"
        from_port   = 22
        to_port     = 22
        protocol    = "tcp"
        -   cidr_blocks = ["0.0.0.0/0"]
        +   cidr_blocks = ["10.92.168.0/28"]
    }
}

From Command Line
To make sure security groups don't allow ingress from 0.0.0.0/0 to SSH (TCP:22), run:

aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port 22 --cidr 0.0.0.0/0

References

https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html?highlight=ingress
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#ingress

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

AWS CIS Controls V 8
AWS CIS Foundations v. 1.0.0
AWS CIS Foundations v. 1.1.0
AWS CIS Foundations v. 1.2.0
AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard Network Alerts for default VPC components
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS LGPD regulation
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Dashboards
CloudGuard AWS Default Ruleset