Profile Applicability: Level 1


Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389. If security groups allow all traffic on RDP, it may allow to brute force attack into the system and potentially get access to the entire network. So that limits the access list to include known hosts, services, or specific employees only.
We know about RDP it is developed by Microsoft which provides a Graphical User Interface to connect one computer to another computer.


Note: If all IPv4 addresses access your instance using RDP it is unsafe for production environments. We authorize only a specific IP address or range of addresses to access your instance.


Rationale

Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.


Impact

For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group.


Default Value

VPC automatically comes with a default security group. If you don't specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections. 


Pre-Requisite

  1. Identify AWS resources that exist within the default security group.

  2. Before implementation steps create a set of least privileged security groups for those resources.

  3. Place the resources in those security groups

  4. Remove the resources noted in #1 from the default security group State


Remediation


Test Plan

Perform the following to determine if the account is configured as prescribed: 

  1. Log in to the AWS Management Console and go to the VPC dashboard at https://console.aws.amazon.com/vpc/home 
  2. In the left navigation pane click on the security group
  3. Select the security group to audit
  4. Click the Inbound Rules tab 
  5. See the inbound rules  

For Port 3389 if the source is set to 0.0.0.0/0 or::/0 (Anywhere), it means the selected security group allows unrestricted traffic on port 3389, therefore the RDP access the instances which are not secured.

Using AWS CLI:


To describe a security group

aws ec2 describe-security-groups \
  --group-id <give group_id>


To describe security groups that have specific rules (port 3389) and allow from all address

aws ec2 describe-security-groups \
    --filters Name=ip-permission.from-port,Values=3389 \
     Name=ip-permission.to-port,Values=3389
     Name=ip-permission.cidr,Values='0.0.0.0/0' \
     --query "SecuriytGroups[*].[GroupName]" \


Implementation Steps

Perform the following to implement the prescribed state: 

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home 
  2. In the left navigation pane, click Security Groups
  3. Choose the Security Group to configure the rules for RDP (port 3389) 
  4. Click the Inbound Rules tab  for the selected security groups
  5. Click on Edit inbound rules button 
  6.  In the Edit inbound rules dialog box, go to the source column and perform one of the following actions to restrict the inbound traffic: Click on the source dropdown

    1. Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).2. Select Custom and enter IP addresses or name or ID of another security group based on your access requirements

  7. Click on the Save rules button


Using AWS CLI

1. List all security groups with an ingress rule of 0.0.0.0/0

aws ec2 describe-security-groups \
--filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].{Name:GroupName,ID:GroupId}”


2. Remove the rule

aws ec2 revoke-security-group-ingress \
--group-id <value> --protocol <protocol> \
--port 3389 --cidr 0.0.0.0/0


3. Add restrictive ingress rule to the selected security group

aws ec2 authorize-security-group-ingress \
--region <region> --group-name <group_name> \
--protocol <protocol> --port 3389 --cidr <cidr_block>


Backout Plan

If you want to proceed with previous settings go through the Implementation steps section and set all previous policies that you have written somewhere. Or else you can delete the security group you created

Step 1:Sign into the AWS Management Console.

Step 2:Go to EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane

Step 4: Open the security group by clicking on the security group ID

Step 5: Click on Actions dropdown and select Edit inbound rules 


Step 6: Click Edit inbound rules button and again set the default rule because it allows all the traffic and saves it 


Using AWS CLI

aws ec2 authorize-security-group-ingress 
 --group-id <value>
  --protocol all
 --port all


Reference

Authorize inbound traffic for your Windows instances - Amazon Elastic Compute Cloud 

Security groups for your VPC - Amazon Virtual Private Cloud 



CIS Controls:

9.2 Ensure Only Approved Ports, Protocols, and Services Are Running 

    Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.