Ensure no ECS Services allow ingress from 0.0.0.0/0 to ALL ports and protocols

It is recommended that no ECS Services allows unrestricted ingress access to all ports and protocols.Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Risk Level: High
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.NET.37
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcsService should not have inboundRules with [ scope='0.0.0.0/0' and portTo=0]

REMEDIATION

From Portal
For each ECS service with Security Group, perform the following:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. In the left pane, click Security Groups
  3. For each security group, perform the following:
  4. Select the security group
  5. Click the Inbound Rules tab
  6. Identify the rules to be removed
  7. Click the x in the Remove column
  8. Click Save

From TF
Remove any inbound rule with scope 0.0.0.0/0 and port 0 and create entry for specific port and protocol.

resource "aws_security_group" "example" {
	...
	ingress {
		from_port   = desired_port
		to_port     = desired_port
		protocol    = "tcp"
		-   cidr_blocks = ["0.0.0.0/0"]
		+   cidr_blocks = ["specific_IP_range"]
	}
}

From Command Line
Use below command to remove the inbound rules that permits unrestricted ingress to any port and protocol.

aws ec2 revoke-security-group-ingress --region region_name --group-name security_group_name --protocol protocol_name --port port_name --cidr 0.0.0.0/0

Optionally add a more restrictive ingress rule to the selected Security Group:

aws ec2 authorize-security-group-ingress --region region_name --group-name security_group_name --protocol protocol_name --port port_name --cidr specific_IP_range

References

  1. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group
  2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
  3. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-groups.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset