Description:

Amazon Lightsail is a virtual private server (VPS) provider and is the easiest way to get started with AWS for developers, small businesses, students, and other users who need a solution to build and host their applications on cloud. Lightsail provides developers compute, storage, and networking capacity and capabilities to deploy and manage websites and web applications in the cloud.


Rational:

Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.


Impact:

You can control the data traffic for your instances by using the Lightsail firewall. From the Lightsail console, you can set rules about which ports of your instance are publicly accessible for different types of traffic.


Default Value:

By default, IPv4 firewall is set to SSh and HTTP.




Audit:

  1. Sign in to AWS Management console

  2. Go to the Lightsail service at https://lightsail.aws.amazon.com/

  3. Choose and click on the instance you want to examine

  4. Select Networking tab

  5. Go to the IPv4 Firewall section and check is there any rule with the port range set to 0-65535 and Restricted to is set to AnyIPv4 address, means not specified to any particular port or IP address
    If you found any rule without any restrictions follow the implementation steps


Via CLI:

aws lightsail get-instance --instance-name Nginx-1

The above command shows all the configuration of the instance you mentioned in the command find the ports section in the output and there you can check whether the particular instance is restricting any traffic or not. If it shows Anywhere (0.0.0.0/0 and ::/0) it means any IP is allowed.



Remediation:

Pre-requisites:

  • Sign in as admin or IAM user with required permissions


Implementation Steps:

  1. Sign in to AWS Management console

  2. Go to the Lightsail service at https://lightsail.aws.amazon.com/

  3. Choose and click on the instance you want to examine

  4. Select the Networking tab and go to IPv4 Firewall section

  5. Choose the rule you want to edit and click on edit symbol

  6. Choose the particular port from the list of ports available under Applications and check the Restricted to IP address checkBox and enter the IP address you want, and click on save.


Via CLI:

aws lightsail PutInstancePublicPorts --port-info <fromPort=integer,toPort=integer,protocol=string,cidrs=string,string,ipv6Cidrs=string,string,cidrListAliases=string,string> --instance-name <name>

This action closes all currently open ports that are not included in the request. Include all of the ports and the protocols you want to open in your PutInstancePublicPorts request. Or use the OpenInstancePublicPorts action to open ports without closing currently open ports.


Backout plan:

To revoke the changes made follow the implementation steps and choose the port and IP address at step 6 and click on save.


Reference:

https://aws.amazon.com/lightsail/

https://docs.aws.amazon.com/cli/latest/reference/lightsail/put-instance-public-ports.html