Description:
Ensure there are no Security Groups without ingress filtering being used. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access.
Rational:
Any security groups configured to allow unrestricted access can increase opportunities for malicious activity such as hacking, denial-of-service attacks, or brute-force attacks.
Impact:
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or the instances associated with the specified security group.
Default Value:
VPC automatically comes with a default security group. If you don't specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.
Pre-requisites:
Sign in as admin or IAM user with required permissions
Need at least one security group
Remediation:
Test Plan:
Sign in to the AWS management console
Go to EC2 dashboard at https://console.aws.amazon.com/ec2
Click on security groups in the left navigation pane.
Select the security group you want to examine
Go to the Inbound tab and make sure at least one rule exist
Implementation steps:
Sign in to the AWS management console
Go to EC2 dashboard at https://console.aws.amazon.com/ec2
Click on security groups in the left navigation pane
Select the security group you want to modify and click on the inbound tab at the bottom
Click on Edit Inbound rules
Click on Add rule and provide the configurations as per your security norms
Click on save rules
Using AWS CLI
Enables inbound traffic on TCP port 22 (SSH)
aws ec2 authorize-security-group-ingress \ --group-name MySecurityGroup \ --protocol tcp \ --port 22 \ --cidr 203.0.113.0/24
Backout plan:
Step 1:Sign into the AWS Management Console.
Step 2:Go to EC2 dashboard at https://console.aws.amazon.com/ec2/.
Step 3: Click on Security Groups, under the NETWORK & SECURITY section, in the left navigation pane
Step 4: Open the security group by clicking on the security group ID
Step 5: Click on Actions dropdown and select Edit inbound rules
Step 6: Click on Edit inbound rules button and select Type “All traffic” Protocol “All “ and port range “All” and save it.
Using AWS CLI:
aws ec2 authorize-security-group-ingress --group-id <value> --protocol all --port all
Reference:
Security groups for your VPC - Amazon Virtual Private Cloud