Description:
Security groups provide state full filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to Postgres port 5432. If restricted ingress access to Postgres port means we do not allow to access my database.
Rationale:
Removing unfettered connectivity to remote console services, and nobody will access my internal database server, reduces a database server’s exposure to risk.
Impact:
If we do not allow unrestricted ingress/inbound access to Postgres port 5432 It can minimize the opportunities for malicious activity such as hacking, data loss, and all multiple types of attacks( brute-force attacks, Denial of Service (DoS) attacks, etc).
For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to Postgres port 5432 through another security group.
Default Value:
VPC automatically comes with a default security group. If you don't specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.
Pre-Requisite:
Before starting the below implementation steps note down all configurations which IP and which port in the inbound.
Avoid the login through the Root user.
Only authorized persons (i.e, admins) can access the Security Groups.
You cannot delete the default security groups but you can edit and modify them here so you can create security groups and create your own rules in them.
Do not attach the default security group to any EC2 instance if you do not modify any default rules in inbound or outbound.
Remediation:
Test Plan:
Sign in to the AWS Management Console.
Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane
Verify the value in the Source column for any inbound rules with the Port Range set to 5432 have the source set to 0.0.0.0/0 or::/0 (Anywhere), then the selected security group allows unrestricted data traffic on port 5432.
Using AWS CLI:
The following command describes a security group the command you can use for each security groups individual to check which IP or ports are inbound or outbound
aws ec2 describe-security-groups --group-ids <secuiryt_group_id>
Implementation Steps:
Step 1: Sign in to the AWS Management Console.
Step 2: Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane
Step 4: Select the appropriate security group (see Test plan section to identify the right one(s)).
Step 5: Select the Inbound tab and click the Edit inbound rules button.
Step 6: In the Edit inbound rules dialog box, go-to source column and perform one of the following actions to restrict the inbound traffic: Click on the source dropdown
Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).
Select Custom and enter IP addresses or name or ID of another security group based on your access requirements
Step 7: Click Save to apply the changes.
Using AWS CLI
List all security groups with an ingress rule of 0.0.0.0/0
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \ --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the rule 5432 port used only e.g. you can revoke any port
aws ec2 revoke-security-group-ingress \ --group-id <value> --protocol <protocol> --port 5432 --cidr 0.0.0.0/0
If you want to proceed with previous settings go through the Implementation steps section and set all previous policies that you have written somewhere. Or else you can delete the security group you created
Step 1:Sign into the AWS Management Console.
Step 2:Go to EC2 dashboard at https://console.aws.amazon.com/ec2/.
Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane
Step 4: Open the security group by clicking on the security group ID
Step 5: Click on Actions dropdown and select Edit inbound rules
Step 6: Click on Edit inbound rules button and select Type “All traffic” Protocol “All “ and port range “All” and save it.
Using AWS CLI:
aws ec2 authorize-security-group-ingress --group-id <value> --protocol all --port all