Description:

Security groups are stateful and provide filtering of inbound/ingress network traffic to AWS resources. Allowing unrestricted inbound/ingress access to uncommon ports can increase opportunities for malicious activity such as Denial of service, data loss.


Rationale:

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.


Impact:

For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 23  through another security group.


Default Value:

VPC automatically comes with a default security group. If you don’t specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.


Pre-Requisite:

  1. Before starting the below implementation steps write all configurations which IP and which port in the inbound.

  2. Avoid the login through the root user.

  3. Only authorized persons can access the Security Groups.

  4. You cannot delete the default security groups but you can edit and modify them here so you can create security groups and create your own rules in them.

  5. Do not attach the default security group to any EC2 instance if you do not modify any default rules in inbound or outbound.


Remediation:


Test Plan:

  • Sign in to AWS Management Console.

  • Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc

  • In the left navigation panel, under SECURITY session, choose Security groups.

  • Select the security group that you want to examine.

  • Select the Inbound Rules tab from the dashboard bottom panel.

  • Verify the value in the Source column for any inbound rules with the Port Range set to 23 have the source set to 0.0.0.0/0 or::/0 (Anywhere), then the selected security group allows unrestricted data traffic on port 23.

Using AWS CLI:

aws ec2 describe-security-groups 
--filters Name=ip-permission.from-port,Values=23 Name=ip-permission.to-port,Values=23 Name=ip-permission.cidr,Values='0.0.0.0/0'
--query "SecurityGroups[*].[GroupName]"
--output text


Implementation:



  • In the navigation panel, under the SECURITY section, choose Security Groups.


  • Select the Security Group that you want to reconfigure.




  • Select the Inbound Rules tab from the dashboard bottom panel.

  •  In the Edit inbound rules dialog box, go-to source column and perform one of the following actions to restrict the inbound traffic: Click on source dropdown

  • Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only). 
  • Select Custom and enter IP addresses or names or ID of another security group based on your access requirements.


  • Click on the save rules button.


Using AWS CLI:

aws ec2 rthe evoke-security-group-ingress 
--region us-east-1 (select your region)
--group-name (your security group name)
--protocol tcp
--port 23
--cidr 0.0.0.0/0



Backout Plan:

  • Sign in to the AWS Management Console.

  • Navigate to AWS VPC dashboard at https://console.aws.amazon.com/vpc/

  • In the navigation panel, under the SECURITY section, choose security group.

  • Select the Security group that you want to reconfigure.

  • Select the Inbound Rules tab from the dashboard bottom panel.

  • Click the Edit button to change the current configuration and revert the changes made.

  • Save the changes.

Reference:

Security groups for your VPC - Amazon Virtual Private Cloud

describe-security-groups — AWS CLI 1.22.26 Command Reference (amazon.com)