Ensure no security group ingress allows traffic from 0.0.0.0/0 to etcd (TCP:2379)

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 2379.

Risk Level: High
Cloud Entity: AWS Security Group
CloudGuard Rule ID: D9.CFT.NET.19
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

AWS_EC2_SecurityGroupIngress should not have CidrIp='0.0.0.0/0' and FromPort>='2379' and ToPort<='2379'

REMEDIATION

From CFT
Set AWS_EC2_SecurityGroupIngress CidrIp property to a restrictive IP address or IP range.

References

  1. https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks

  • AWS CloudFormation ruleset