Description:

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allow unrestricted ingress access to any port.

If restricted ingress access to any port means we do not allow any port to access my AWS or cloud service, Its means that any services or application which use any particular port we do not allow any. It is very secure on the cloud.


Rationale:

Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk. Ensure no security groups allow ingress from 0.0.0.0/0 or::/0 to any port. 


Impact:

If we do not allow unrestricted ingress/inbound access to any ports It can have minimized the opportunities for malicious activity such as hacking, data loss, and all multiple types of attacks( brute-force attacks, Denial of Service (DoS) attacks, etc). 



Default Value:


Inbound default value:

Type

Protocol

Port Range

Source

Description

All traffic

All

All

Security Group ID
(e.g.:- sg-dedc3c97 / default)

For the associated instances, inbound traffic allows from network interfaces that are assigned to the same security group.


Pre-Requisite

1. Before starting the below implementation steps write all configurations which IP and which port in the inbound.

2. Avoid the login through the Root user.

3. Only authorized persons (i.e, admins) can access the Security Groups.

4. You cannot delete the default security groups but you can edit and modify them here so you can create security groups and create your own rules in them.

5. Do not attach the default security group to any EC2 instance if you do not modify any default rules in inbound or outbound.


Remediation:


Test Plan:


The following steps to determine if the account is configured as prescribed:

Step 1: Log in to AWS Management Console and go to VPC https://console.aws.amazon.com/vpc/home



Step 2: Go on Security Groups in the left navigation.



Step 3For each security group, perform the following.

Step 4Select the Security group.


Step 5: Click the Inbound Rules tab.


Step 6: Ensure no rule exists that has a port range that includes any port and has a Source of 0.0.0.0/0.



Using the AWS CLI:


The following command describes a security group; the command you can use for each security group individual to check which IP or ports are inbound or outbound:

aws ec2 describe-security-groups --group-ids <secuiryt_group_id>

Remediation:

Pre-Requisite:

1. Before starting the below implementation steps write all configurations which IP and which port in the inbound.

2. Avoid logging in through the root user.

3. Only authorized persons (i.e, admins) can access the Security Groups.

4. You cannot delete the default security groups but you can edit and modify them here so you can create security groups and create your own rules in them.

5. Do not attach the default security group to any EC2 instance if you do not modify any default rules in inbound or outbound.

Implementation Steps:

Perform the following steps to implement the prescribed state:

Step 1: Log in to AWS Management Console and go to VPC https://console.aws.amazon.com/vpc/home 



Step 2: Go on Security Groups in the left navigation.

Step 3: For each security group, perform the following:

Step 4: Select the Security group.

Step 5: Click on the Inbound Rules tab.



Step 6: Remove any rules that allow to inbound from 0.0.0.0/0 for any port.



Step 7: Click Edit inbound rules button delete rule which allows to ingress any port and save it .




Using the AWS CLI:

  1. List all security groups with an ingress rule of 0.0.0.0/0:


aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

2. Remove the rule 22 port used only for e.g. you can revoke any port : 


aws ec2 revoke-security-group-ingress \
--group-id <value> --protocol <protocol> --port 22 --cidr 0.0.0.0/0


or we also can write as below.


aws ec2 revoke-security-group-ingress \
--group-id sg-026c12253ce15eff7 --ip-permissions \
IpProtocol=icmp,FromPort=3,ToPort=4,IpRanges=[{CidrIp=0.0.0.0/0}]



Backout Plan:

If you want to proceed with previous settings go through the Implementation steps section and set all previous policies. You can delete your new security group by following the steps:

Step 1: Open the Amazon VPC console https://console.aws.amazon.com/vpc/

Step 2: In the navigation pane, choose Security Groups.

Step 3: Select one or more security groups and choose Security Group Actions, Delete Security Group.

Step 4: In the Delete Security Group dialogue box, choose Yes, Delete

or if any issue to access your resources then assign the CIDR 0.0.0.0/0 in the inbound to the security group

Using the AWS CLI:

The following command is used to delete created security group id in the security_group_id enter the security group id which you show on your console.