Profile Applicability: Level 1


Description:

SSH(Secure Shell) which is used for remote access in CLI mode to the system, to connect with instance mainly Linux we must set up the rule to authorize SSH traffic from the base computer’s public IPv4 address.

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. These groups should not permit unrestricted access from the internet to SSH (port 22).

Note: If we permit all IP addresses to access the instance using SSH, It is unsafe for production environments. So that for any organization or in production, it is good practice to authorize only a specific IP address or range of address to access the instance.


Rationale:

Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. 


Impact:

For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group. 


Default Value:

The following table describes the default rules for a default security group:-

Inbound

 

 

 

 

Type

Protocol

Port Range

Source

Description

All traffic

All

All

Security Group ID
(default)

For the associated instances, inbound traffic allows network interfaces assigned to the same security group.

Outbound

 

 

 

 

Type

Protocol

Port Range

Source

Description

All traffic

All

All

0.0.0.0/0

Allow all outbound IPv4


Audit:

Perform the following to determine if the account is configured as prescribed: 

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home 

  2. Click on the Services tab and in Networking & content Delivery we click on VPC

  3. Scroll down the left panel into VPC go to Security

  4. Select the security group  

  5. Click the Inbound Rules tab

  6. Ensure no rule exists that has a port range that includes port 22 and has a Source of 0.0.0.0/0

Note: A Port value of ALL or a port range such as 0-1024 are inclusive of port 22.


Remediation:

Pre-Requisite

  1. Before we start this first Decide who access the instance a single host or a specific network who is authorized person’s base machine.

  2. To connect your instance you must set up a rule to authorize SSH traffic

  3. Ensure that Bastion host is available or not

  4. We need to find out the range of IP addresses used by client computers. 

Implementation Steps

Perform the following to implement the prescribed state: 

  1.  Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home 
  2.  In the left pane, click Security Groups
  3. For each security group, perform the following
  4. Select the security group 
  5. Click the Inbound Rules tab 
  6. Remove any rules that allow ingress from all IPs(0.0.0.0/0)  for SSH and Save rules
  7. Click Edit inbound rules button to delete the default rule because it allows all the traffic and saves it

    Note: 

    Allow SSH access through only Bastion hos

CLI Remediation Steps:

List all security groups with an ingress rule of 0.0.0.0/0:

aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

Remove the rule:

aws ec2 revoke-security-group-ingress \
--group-id <value> --protocol <protocol> \
--port 22 --cidr 0.0.0.0/0


Backout Plan:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home 
  2. In the left pane, click Security Groups
  3. Perform the following steps in which you do some modification with the help of implementation steps
  4. Select the security group 
  5. Click the Inbound Rules tab
  6. Click on Edit inbound rules button and select Type “All traffic”  Protocol “All “ and port range “All” and save it.


Reference

  1. Security groups for your VPC - Amazon Virtual Private Cloud 
  2. Authorize inbound traffic for your Linux instances - Amazon Elastic Compute Cloud


CIS Controls:


9.2 Ensure Only Approved Ports, Protocols and Services Are Running 

  • Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.