Ensure that Security Groups are not open to all

Security Groups should not be open to the internet. If you expand or modify your cloud presence, for instance by adding additional services, or additional regions, you can modify the security policies consistently for all regions from one console

Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.56
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup where networkAssetsStats contain-any [ count != 0 ] or networkInterfaces length()>0 should not have inboundRules with [ scope='0.0.0.0/0' and portTo=0]

REMEDIATION

From Portal:
Configure your Security Groups to only allow access from internal networks and limited access scope. If public interface exists, remove it and limit the access scope within the network only to applications or instances that requires access.

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. In the left pane, click Security Groups
  3. For each security group, perform the following:
  4. Select the security group
  5. Click the Inbound Rules tab
  6. Identify the rules to be removed
  7. Click the x in the Remove column
  8. Click Save

From TF:
Remove any inbound rule with scope 0.0.0.0/0 and port 0 and create entry for specific port and protocol.

resource "aws_security_group" "example" {
	...
	ingress {
		from_port   = desired_port
		to_port     = desired_port
		protocol    = "tcp"
		-   cidr_blocks = ["0.0.0.0/0"]
		+   cidr_blocks = ["specific_IP_range"]
	}
}

From Command Line:
Use below command to remove the inbound rules that permits unrestricted ingress to any port and protocol.

aws ec2 revoke-security-group-ingress --region region_name --group-name security_group_name --protocol protocol_name --port port_name --cidr 0.0.0.0/0

Optionally add a more restrictive ingress rule to the selected Security Group:

aws ec2 authorize-security-group-ingress --region region_name --group-name security_group_name --protocol protocol_name --port port_name --cidr specific_IP_range

References:

  1. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group
  2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
  3. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-groups.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset