Description: 

Ensure there are no Security Groups without ingress filtering being used. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access


Audit

Perform the following to determine if the account is configured as prescribed: 

1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 

2. In the left pane, click Security Groups 

3. For each security group, perform the following: 

4. Select the security group 

5. Click the Inbound Rules tab

6. Ensure no rule exists that has a port range that includes any port and has a source


Rationale: 

Perform the following to implement the prescribed state: 

1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home 

2. In the left pane, click Security Groups 

3. For each security group, perform the following: 

4. Select the security group 

5. Click the Inbound Rules tab 

6. Identify the rules to be removed 

7. Click the x in the Remove column 

8. Click Save


References: 

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html