Ensure no security groups allow ingress from to remote server administration ports

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.77
Covered by Spectral: No
Category: Networking & Content Delivery


SecurityGroup should not have inboundRules with [ scope='' and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]


From Portal

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. In the left pane, click Security Groups
  3. For each security group, perform the following:
  4. Select the security group
  5. Click the Inbound Rules tab
  6. Click the Edit inbound rules button
  7. Identify the rules to be edited or removed
  8. Either A) update the Source field to a range other than, or, B) Click Delete to remove the offending inbound rule
  9. Click Save rules

From Command Line

  1. List all security groups with an ingress rule of
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
  1. Remove the rule which has port 22 or 3389 when ingress is
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP_NAME --protocol tcp --port 22 --cidr
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP_NAME --protocol tcp --port 3389 --cidr
  1. Now add the inbound rules with different parameters, When port is 22 or 3389 set cidr value other than e.g. or any suitable range.
aws ec2 authorize-security-group-ingress --region REGION --group-name GROUP_NAME --protocol PROTOCOL --port PORT --cidr CIDR_BLOCK

From CFT

  1. Use the resource AWS::EC2::SecurityGroup. When port is 22 or 3389, make sure property AWS::EC2::SecurityGroup::SecurityGroupIngress::CidrIp has specific cidr range other than "" e.g. "" or any suitable range. See below example template;
Type: AWS::EC2::SecurityGroup
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389

From TF

  1. Use the resource aws_security_group. When port is 22 or 3389, make sure property ingress.cidr_blocks has specific cidr range other than "" e.g. "" or any suitable range. See below example template;
resource "aws_security_group" "" {
	ingress {
		from_port        = 22
		to_port          = 22
		protocol         = "tcp"
		cidr_blocks      = [""]


  1. https://workbench.cisecurity.org/sections/615826/recommendations/1009568
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html#
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset