Description:

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.


Rationale:

Removing unfettered connectivity to remote console services reduces a server's exposure to risk. 


Impact:

For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to port 9092 through another security group. 


Default Value

VPC automatically comes with a default security group. If you don’t specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.


Pre-Requisite

  1. Make sure you don’t have any default security groups that give access to the Kafka port

  2. Sign in as administrator or any IAM user with the required permissions


Remediation:

Test Plan:

Perform the following to determine if the account is configured as prescribed: 

  1. Log in to the AWS Management Console and go to the VPC dashboard at https://console.aws.amazon.com/vpc/home 

  2. In the left navigation, pane click on the security group

  3. Select the security group you want to audit

  4. Click on the Inbound Rules tab

  5. If you notice, for port 9092 if the source is set to 0.0.0.0/0 or::/0 (Anywhere), it means the selected security group allows unrestricted traffic on port 9092, therefore access to Kafka is open to the public. Follow the implementation steps


Using AWS CLI:

To describe a security group

aws ec2 describe-security-groups --group-id <give group_id>

Implementation Steps

Perform the following to implement the prescribed state: 

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/vpc/home 

  2. In the left navigation pane, click Security Groups

  3. Choose the Security Group that you want to reconfigure
  4. Click on the Inbound Rules tab for the selected security group

  5. Click on Edit inbound rules button

  6. In the source column select the particular IP or range of IPs that you want to allow to access Kafka Port  

  7. Click on the Save rules button


Using AWS CLI:

To modify the security group

aws ec2 update-security-group-rule-descriptions-ingress \
--group-id sg-02f0d35a850ba727f \
--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=9092,IpRanges='[{CidrIp=203.0.113.0/16,Description="SSH access from corpnet"}]'

Backout Plan:

If you have any problem after the implementation then follow the implementation step 1-5 and then configure to allow all IPs in the source column and click on the save rule.

Using AWS CLI:

By this command the security group will get pervious rules 

aws ec2 update-security-group-rule-descriptions-ingress \ 
--group-id sg-02f0d35a850ba727f \
--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=9092,IpRanges='[{CidrIp=203.0.113.0/16,Description="SSH access from corpnet"}]'

Reference:

Authorize inbound traffic for your Windows instances - Amazon Elastic Compute Cloud 

Control traffic to resources using security groups - Amazon Virtual Private Cloud