Ensure no security groups allow ingress from ::/0 to remote server administration ports

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Risk Level: Critical
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.AWS.NET.91
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

SecurityGroup should not have inboundRules with [ (scope='::/0') and ( ( port<=22 and portTo>=22) or ( port<=3389 and portTo>=3389 ) ) ]

REMEDIATION

From Portal

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
  2. In the left pane, click Security Groups
  3. For each security group, perform the following:
  4. Select the security group
  5. Click the Inbound Rules tab
  6. Click the Edit inbound rules button
  7. Identify the rules to be edited or removed
  8. Either A) update the Source field to a range other than ::/0, or, B) Click Delete to remove the offending inbound rule
  9. Click Save rules.

From Command Line

  1. List all security groups with an ingress rule of ::/0.
aws ec2 describe-security-groups --filters Name=ip-permission.ipv6-cidr,Values='::/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
  1. Remove the rule which has port 22 or 3389 when ingress is ::/0.
aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP_NAME --ip-permissions IpProtocol=PROTOCOL,FromPort=PORT,ToPort=PORT,Ipv6Ranges="[{CidrIpv6=::/0}]"
  1. Now add the inbound rules with different parameters, When port is 22 or 3389 set cidr value other than ::/0 e.g. 2001:db8🔢1a00::/64 or any suitable range.
aws ec2 authorize-security-group-ingress --region REGION --group-name GROUP_NAME --ip-permissions IpProtocol=PROTOCOL,FromPort=PORT,ToPort=PORT,Ipv6Ranges="[{CidrIpv6=CIDR_BLOCK}]"

From TF
Use the resource aws_security_group. When port is 22 or 3389, make sure property ingress.cidr_blocks has specific cidr range other than "::/0" e.g. "2001:db8🔢1a00::/64" or any suitable range. See below example template;

resource "aws_security_group" "example" {
	...
	ingress {
		from_port        = PORT
		to_port          = PORT
		protocol         = "tcp"
		ipv6_cidr_blocks    = ["CIDR_BLOCK"]
	}
	...
}

References

  1. https://workbench.cisecurity.org/sections/844441/recommendations/2319229
  2. https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html
  3. https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html
  4. https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CIS Foundations v. 1.5.0
  • AWS CIS Foundations v. 2.0.0
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset