Description: 

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to Cassandra ports 7199 or 9160 or 8888.Apache Cassandra is a free and open-source distributed wide-column store, NoSQL database management system. It manages very large amounts of data across many commodity servers.


Rationale: 

Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. Ensure no security groups allow ingress from 0.0.0.0/0 or::/0 to Cassandra ports 7199 or 9160 or 8888.


Impact:

For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to Cassandra ports 7199 or 9160 or 8888 through another security group.


Default Value:

The default port for Cassandra is:

  •  TCP 7000 is used for inter-node communication.

  • TCP 7001 is used for encrypted inter-node communications if you enable TLS

  • TCP 7199 is used for JMX(Java Management Extensions) management connections

  • TCP 9042 is used for native clients if enabled 

  • TCP 9160 is used for thrift clients if enabled

For opscenter:

  • TCP 8888 is used by the opscenter web UI.

  • TCP 61620 is used by the opscenter daemon for in-bound connections.

  • TCP 61621 is used by opscenter agents for in-bound connections


Pre-Requisite:

  1. Before starting the below implementation steps note down all configurations which IP and which port in the inbound.

  2. Avoid the login through the Root user.

  3. Only authorized persons (i.e, admins) can access the Security Groups.

  4. You cannot delete the default security groups but you can edit and modify them here you can create security groups and create your own rules in them.

  5. Do not attach the default security group to any EC2 instance.


Remediation:


Test Plan:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

  3. Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane

  4. Verify the value available in the Source column for any inbound/ingress rules with uncommon ports. If one or more rules have the source set to 0.0.0.0/0 or::/0 (Anywhere), the selected security group allows unrestricted traffic to uncommon ports, therefore the access to the EC2 instance(s) associated with the security group is not restricted.


Using AWS CLI:

The following command describes a security group the command you can use for each security groups individual to check which IP or ports inbound or outbound

aws ec2 describe-security-groups --region us-east-1 \
--filters Name=ip-permission.from-port,Values=7199 \
Name=ip-permission.to-port,Values=9160 Name=ip-permission.cidr,Values='0.0.0.0/0' \
--query 'SecurityGroups[*].{Name:GroupName}'


Implementation Steps:

Step 1: Sign in to the AWS Management Console.

Step 2: Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane

Step 4: Select the appropriate security group (see Audit section to identify the right one(s)).

Step 5: Select the Inbound tab and click the Edit inbound rules button.

Step 6: In the Edit inbound rules dialog box, go-to source column and perform one of the following actions to restrict the inbound traffic: Click on the source dropdown

  1. Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).

  2. Select Custom and enter IP addresses or name or ID of another security group based on your access requirements



Step 7: Click Save to apply the changes.


Using AWS CLI

List all security groups with an ingress rule of 0.0.0.0/0  

aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' \
    --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

Remove the rule  7199 or 9160 or 8888 port used only e.g. you can revoke any port  

aws ec2 revoke-security-group-ingress \
  --group-id <value> --protocol <protocol> --port 8888 --cidr 0.0.0.0/0

Backout Plan:

If you want to proceed with previous settings go through the Implementation steps section and set all previous policies that you have written somewhere. Or else you can delete the security group you created

Step 1: Sign in to the AWS Management Console.

Step 2: Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane

Step 4: Open the security group by clicking on the security group ID

Step 5: Click on Actions dropdown and select Delete Security groups


Using AWS CLI:

The following command is used to delete created security group id in the security_group_id enter the security group id which you show on your console.

aws ec2 delete-security-group --group-id <security_group_id>