Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access

Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.08
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup should not have inboundRules with [ scope='0.0.0.0/0' and portTo=0]

REMEDIATION

Reduce the scope of the inbound rules to just the necessary scope, protocol, and ports.

From Portal

  1. Login to the AWS Management Console and open Amazon VPC console https://console.aws.amazon.com/vpc/home
  2. In the navigation pane, choose Security Groups.
  3. For each security group, perform the following:
    a. Select the security group
    b. Click the Inbound Rules tab
    c. Identify the rules to be removed or edited
    d. Edit the inbound rule , change the source cidr range or Delete the rule.
  4. Click Save

From TF
Add CIDR range, port, protocol to restrict ingress access from all port, protocol and range.

resource "aws_security_group" "test" {
	name        = "allow_tls4"
	description = "Allow TLS inbound traffic"
	
	ingress {
		description = "TLS from VPC"
		from_port   = 3389      # any port number apart from 0
		to_port     = 3389      # any port number apart from 0
		-   protocol    = "ALL"
		+   protocol    = "tcp"
		-   cidr_blocks = ["0.0.0.0/0"]
		+   cidr_blocks = ["10.92.168.0/28"]
	}
}

From Command Line
To make sure security groups doesn't allow ingress from 0.0.0.0/0 to all port, run:

aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port PORT --cidr 0.0.0.0/0

References

  1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
  2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html?highlight=ingress
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#ingress

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset