Description:
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.
Rationale:
EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or::/0) to TCP port 1433 and restrict access to only those IP addresses that require it to implement the principle of least privilege and reduce the possibility of a breach.
Impact:
By changing the source to specific IP or range of IPs in the inbound whereas incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group
Default:
A VPC comes with a default security group. If you don’t specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.
Pre-Requisite
Identify AWS resources that exist within the default security group.
Before implementation steps create a set of least privileged security groups for those resources.
Remediation:
Test Plan:
Sign-in into AWS Management console
Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/home/.
Click on the Security Groups in the left Navigation menu.
Select the security group to audit.
Click on the inbound rules tab in the security group.
Observe the inbound rules
- If you find SQL port 1433 with the source as 0.0.0.0/0 (anywhere) that means traffic to this port is not restricted. To restrict the traffic follow the implementation steps.
Using AWS CLI:
To describe a security group
aws ec2 describe-security-groups --group-id <give group_id>
Implementation:
Sign-in into AWS Management console
Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/home/.
Click on the Security Groups in the left Navigation menu.
- Select the security group that you want to reconfigure
- Click on the inbound rules tab in the security group.
- Click on the Edit inbound rules button
- Under source, column select the IP or range of IPs that you want to allow to this port
- Click on the Save changes button to save the changes.
Using AWS CLI:
First, run revoke-security-group-ingress command to remove the inbound rule(s) that allow unrestricted access through TCP port 1433, from the selected EC2 security group (the command does not return an output):
aws ec2 revoke-security-group-ingress
--region us-east-1
--group-name MyMSServerSecurityGroup
--protocol tcp
--port 1433
--cidr 0.0.0.0/0
Backout plan:
Sign-in into the AWS Management console.
Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/home/.
Click on the security groups in the left navigation menu.
Select the security group to modify.
Click on the inbound rules button.
Select the custom type under the source in the dropdown menu and select the source as 0.0.0.0/0 or::/0.
Click on the save changes.
Using AWS CLI:
aws ec2 authorize-security-group-ingress --group-id <your group id>--protocol tcp --port 433 --cidr 0.0.0.0/0
References:
Security group rules for different use cases - Amazon Elastic Compute Cloud
Control traffic to subnets with Network ACLs - Amazon Virtual Private Cloud