SSH(Secure Shell) which is used for remote access in CLI mode to the system, to connect with instances mainly Linux we must set up the rule to authorize SSH traffic from the base computer’s public IPv4 address.
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. These groups should not permit unrestricted access from the internet to SSH (port 22).
Note: If we permit all IP addresses to access the instance using SSH, It is unsafe for production environments. So that for any organization or in production, it is good practice to authorize only a specific IP address or range of address to access the instance.
Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group.
The following table describes the default rules for a default security group:-
Perform the following to determine if the account is configured as prescribed:
Perform the following to implement the prescribed state:
- Log in to the AWS Management Console
- Go to EC2 service
- In the left pane, click Security Groups
- For each security group, perform the following
- Select the security group
- Click the Inbound Rules tab
- Remove any rules that allow ingress from all IPs(0.0.0.0/0) for SSH and Save rules
- Click Edit inbound rules button to delete the default rule because it allows all the traffic and saves it
Allow SSH access through only Bastion hos
Using AWS CLI:
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
Remove the rule:
aws ec2 revoke-security-group-ingress \
--group-id <value> --protocol <protocol> \
--port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <value> --protocol all --port all
- Security groups for your VPC - Amazon Virtual Private Cloud
- Authorize inbound traffic for your Linux instances - Amazon Elastic Compute Cloud