Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access
Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.08
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
SecurityGroup should not have inboundRules with [ scope='0.0.0.0/0' and portTo=0]
REMEDIATION
Reduce the scope of the inbound rules to just the necessary scope, protocol, and ports.
From Portal
- Login to the AWS Management Console and open Amazon VPC console https://console.aws.amazon.com/vpc/home
- In the navigation pane, choose Security Groups.
- For each security group, perform the following:
a. Select the security group
b. Click the Inbound Rules tab
c. Identify the rules to be removed or edited
d. Edit the inbound rule , change the source cidr range or Delete the rule. - Click Save
From TF
Add CIDR range, port, protocol to restrict ingress access from all port, protocol and range.
resource "aws_security_group" "test" {
name = "allow_tls4"
description = "Allow TLS inbound traffic"
ingress {
description = "TLS from VPC"
from_port = 3389 # any port number apart from 0
to_port = 3389 # any port number apart from 0
- protocol = "ALL"
+ protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = ["10.92.168.0/28"]
}
}
From Command Line
To make sure security groups doesn't allow ingress from 0.0.0.0/0 to all port, run:
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0
References
- https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html?highlight=ingress
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#ingress
AWS Security Group
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard Network Alerts for default VPC components
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago