Ensure no security groups allow ingress from to RDP (TCP:3389)

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.

Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.02
Covered by Spectral: Yes
Category: Networking & Content Delivery


SecurityGroup should not have inboundRules with [scope =  '' and port<=3389 and portTo>=3389]


Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.
From Portal

  1. Login to the AWS Management Console and open Amazon VPC console https://console.aws.amazon.com/vpc/home
  2. In the navigation pane, choose Security Groups.
  3. For each security group, perform the following:
  4. Select the security group
  5. Click the Inbound Rules tab
  6. Identify the rules to be removed
  7. Edit the inbound rule , change the source cidr range or Delete the rule.
  8. Click Save

From TF
Add CIDR range to restrict ingress access to port 3389.

resource "aws_security_group" "test" {
	name        = "allow_tls4"
	description = "Allow TLS inbound traffic"
	ingress {
		description = "TLS from VPC"
		from_port   = 3389
		to_port     = 3389
		protocol    = "tcp"
		-   cidr_blocks = [""]
		+   cidr_blocks = [""]

From Command Line
To make sure security groups doesn't allow ingress from to RDP (TCP:3389), run:

aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port 3389 --cidr


  1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html?highlight=ingress
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#ingress

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.0.0
  • AWS CIS Foundations v. 1.1.0
  • AWS CIS Foundations v. 1.2.0
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset