Risk Level: High
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.NET.37
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcsService should not have inboundRules with [ scope='0.0.0.0/0' and portTo=0]

REMEDIATION

From Portal
For each ECS service with Security Group, perform the following:

Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
In the left pane, click Security Groups
For each security group, perform the following:
Select the security group
Click the Inbound Rules tab
Identify the rules to be removed
Click the x in the Remove column
Click Save

From TF
Remove any inbound rule with scope 0.0.0.0/0 and port 0 and create entry for specific port and protocol.

resource "aws_security_group" "example" {
	...
	ingress {
		from_port   = desired_port
		to_port     = desired_port
		protocol    = "tcp"
		-   cidr_blocks = ["0.0.0.0/0"]
		+   cidr_blocks = ["specific_IP_range"]
	}
}

From Command Line
Use below command to remove the inbound rules that permits unrestricted ingress to any port and protocol.

aws ec2 revoke-security-group-ingress --region region_name --group-name security_group_name --protocol protocol_name --port port_name --cidr 0.0.0.0/0

Optionally add a more restrictive ingress rule to the selected Security Group:

aws ec2 authorize-security-group-ingress --region region_name --group-name security_group_name --protocol protocol_name --port port_name --cidr specific_IP_range

References

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-groups.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

AWS CIS Controls V 8
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset