Description: 

Ensure there are no Security Groups without ingress filtering being used. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access.


Rational:

Any security groups configured to allow unrestricted access can increase opportunities for malicious activity such as hacking, denial-of-service attacks, or brute-force attacks.


Impact:

An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or the instances associated with the specified security group.


Default Value:

VPC automatically comes with a default security group. If you don't specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections. 


Pre-requisites:

  1. Sign in as admin or IAM user with required permissions

  2. Need at least one security group


Remediation:


Test Plan:

  1. Sign in to the AWS management console

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2

  3. Click on security groups in the left navigation pane.

  4. Select the security group you want to examine

  5. Go to the Inbound tab and make sure at least one rule exist



Implementation steps:

  1. Sign in to the AWS management console

  2. Go to EC2 dashboard at https://console.aws.amazon.com/ec2

  3. Click on security groups in the left navigation pane

  4. Select the security group you want to modify and click on the inbound tab at the bottom

  5. Click on Edit Inbound rules

  6. Click on Add rule and provide the configurations as per your security norms

  7. Click on save rules


Using AWS CLI

Enables inbound traffic on TCP port 22 (SSH) 

aws ec2 authorize-security-group-ingress \
    --group-name MySecurityGroup \
    --protocol tcp \
    --port 22 \
    --cidr 203.0.113.0/24



Backout plan:


Step 1:Sign into the AWS Management Console.

Step 2:Go to EC2 dashboard at https://console.aws.amazon.com/ec2/.

Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane

Step 4: Open the security group by clicking on the security group ID

Step 5: Click on Actions dropdown and select Edit inbound rules 

Step 6: Click on Edit inbound rules button and select Type “All traffic”  Protocol “All “ and port range “All” and save it.

 


Using AWS CLI:

aws ec2 authorize-security-group-ingress 
 --group-id <value>
  --protocol all
 --port all

Reference:

Security groups for your VPC - Amazon Virtual Private Cloud