Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port

In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure EC2 instances are not exposed incoming traffic from 0.0.0.0/0 to known TCP ports

Risk Level: Medium
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.78
Covered by Spectral: No
Category: Compute

GSL LOGIC

Instance where isPublic=true and nics contain [ subnet.routeTable.associations length()>0 and subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId like 'igw-%' ] ] should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console, and Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/ .
  2. In the navigation pane, choose Instances.
  3. Select your instance and, in bottom half of the screen, choose the Security tab.
  4. Security groups lists the security groups that are associated with the instance. Inbound rules displays a list of the inbound rules that are in effect for the instance.
  5. Identify the security group with the scope 0.0.0.0/0 and a Known TCP port from the list in GSL.
  6. On the Edit inbound rules page, modify the traffic source that allow traffic from 0.0.0.0/0 to one of the port from the list.
  7. Select My IP from the Source dropdown list to allow inbound traffic only from your machine or Select Custom from the Source dropdown list and enter appropriate range of IPs.
  8. Click Save to apply the changes.

From Command Line

  1. Identify the security group associated with the instance.Remove the rule which has ingress is 0.0.0.0/0 to one of the from the GSL list.
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP_NAME --protocol tcp --port PORT_NUMBER --cidr 0.0.0.0/0
  1. Now add the inbound rules with different parameters, Modify the CIDR_BLOCK to appropriate range in order to restrict access from 0.0.0/0 to one of the port from the list.
aws ec2 authorize-security-group-ingress --region REGION --group-name GROUP_NAME --protocol PROTOCOL --port PORT --cidr CIDR_BLOCK

From CFT
Use the link to the Cloudformation resource from the references.

From TF
Use the link to the terraform resource from the references.

References

  1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html#
  3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
  5. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

Amazon EC2 Instance

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard Network Alerts for default VPC components
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS GDPR Readiness
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS LGPD regulation
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset