Description: 

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to Postgres port 5432.


Rationale: 

Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to Postgres port 5432.


Audit: 

Perform the following to determine if the account is configured as prescribed: 

1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 

2. In the left pane, click Security Groups 

  • For each security group, perform the following: 
  • Select the security group 
  • Click the Inbound Rules tab
  • Ensure no rule exists that has a port range that includes Postgres port 5432 and has a Source of 0.0.0.0/0


Remediation:

Perform the following to implement the prescribed state: 

1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 

2. In the left pane, click Security Groups 

3. For each security group, perform the following: 

  • Select the security group 
  • Click the Inbound Rules tab 
  • Identify the rules to be removed 
  • Click the x in the Remove column 
  • Click Save


Impact: 

For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to Postgres port 5432 through another security group.


Resource: