Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP DB port
In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure EC2 instances are not exposed incoming traffic from 0.0.0.0/0 to known TCP DB ports
Risk Level: High
Cloud Entity: Amazon EC2 Instance
CloudGuard Rule ID: D9.AWS.NET.80
Covered by Spectral: No
Category: Compute
GSL LOGIC
Instance where isPublic=true and nics contain [ subnet.routeTable.associations length()>0 and subnet.routeTable.routes contain [ destinationCidrBlock='0.0.0.0/0' and gatewayId like 'igw-%' ] ] should not have nics contain [ securityGroups contain [ inboundRules contain [ scope='0.0.0.0/0' and port in($CloudGuard_Known_DB_TCP_Ports) and protocol in('TCP', 'ALL') ] ] ]
REMEDIATION
From Portal
- Sign in to the AWS Management Console, and Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/ .
- In the navigation pane, choose Instances.
- Select your instance and, in bottom half of the screen, choose the Security tab.
- Security groups lists the security groups that are associated with the instance. Inbound rules displays a list of the inbound rules that are in effect for the instance.
- Identify the security group with the scope 0.0.0.0/0 and a Known TCP port from the list in GSL.
- On the Edit inbound rules page, modify the traffic source that allow traffic from 0.0.0.0/0 to one of the port from the list.
- Select My IP from the Source dropdown list to allow inbound traffic only from your machine or Select Custom from the Source dropdown list and enter appropriate range of IPs.
- Click Save to apply the changes.
From Command Line
- Identify the security group associated with the instance.Remove the rule which has ingress is 0.0.0.0/0 to one of the from the GSL list.
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP_NAME --protocol tcp --port PORT_NUMBER --cidr 0.0.0.0/0
- Now add the inbound rules with different parameters, Modify the CIDR_BLOCK to appropriate range in order to restrict access from 0.0.0/0 to one of the port from the list.
aws ec2 authorize-security-group-ingress --region REGION --group-name GROUP_NAME --protocol PROTOCOL --port PORT --cidr CIDR_BLOCK
From CFT
Use the link to the Cloudformation resource from the references.
From TF
Use the link to the terraform resource from the references.
References
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html#
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
Amazon EC2 Instance
Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard CheckUp
- AWS CloudGuard Network Alerts for default VPC components
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS GDPR Readiness
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated about 1 year ago