Description:
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. This particular rule checks if the security groups in use do not allow unrestricted incoming traffic to the specified ports.
Rationale:
Removing unfettered connectivity to remote console services, and nobody will access the internal database server or web server, which reduces the server’s exposure to risk. Ensure no security groups allow ingress from 0.0.0.0/0 or::/0 to Common Ports such as TCP/UDP.
Impact:
If this rule is not applied, the server will be opened to all networks and this increases the chance of our server getting hacked or data lost. The rule is compliant when the IP addresses for inbound TCP connections are restricted to the specified ports. This rule applies only to IPv4.
Default Value:
By default, new security groups start with only an outbound rule that allows all traffic to leave the resource. You must add rules to enable any inbound traffic or to restrict the outbound traffic.
Pre-requisites:
You must have a defined VPC (Virtual Private Cloud).
You must have a Security Groups.
Remediation:
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
In the left menu, select Security Groups.
Select the security group that you want to check
Select the Inbound tab.
Verify that the EC2 instance security group don't allow Unrestricted access (i.e. 0.0.0.0/0 for ipv4 and ::0 for ipv6) on uncommon ports, to protect from attackers . Here this security group allows request from anywhere(i.e. 0.0.0.0/0) on common ports like 22(SSH), 80(HTTP).
Using AWS CLI:
For ipv4 Address:
To list all the security groups that allows unrestricted inbound access to all IPv4 addresses.
aws ec2 describe-security-groups --region <region> --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --output table --query 'SecurityGroups[*].GroupId'
For ipv6 Address:
To list all the security groups that allows unrestricted inbound access to all IPv6 addresses,
Replace --filters Name=ip-permission.cidr,Values='0.0.0.0/0' with --filters Name=ip-permission.ipv6-cidr,Values='::/0' in the above command.
aws ec2 describe-security-groups --region <region> --filters Name=ip-permission.ipv6-cidr,Values='::/0' --output table --query 'SecurityGroups[*].GroupId'
To list all the inbound/ingress rules defined for the selected EC2 security group.
aws ec2 describe-security-groups --region <region> --group-ids <group-id> --query 'SecurityGroups[*].IpPermissions[]'
Implementation steps:
Sign in to the AWS Management Console.
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/
In the left menu, scroll down and select Security Groups.
Select the security group that you want to check
After selecting the Security group, the Inbound Rules tab appears, click Edit Inbound Rules on the right side to edit the inbound rules.
6. In the Edit inbound rules dialog box, go-to source column and perform one of the following actions to restrict the inbound traffic: Click on the source dropdown.
a. Select My IP to allow inbound traffic only from your machine (i.e, from your IP address only).
OR
b. Select Custom and enter IP addresses or names or IDs of another security group based on your access requirements.
7. Click Save Rules to apply the changes.
Using AWS CLI:
Here you can dictate the inbound rules in two ways.
You can provide a static IP to the EC2 instance group. eg.: 10.0.3.63/28
aws ec2 authorize-security-group-ingress --region <region> --group-id <group-id> --protocol <tcp/udp> --port <port-no> --cidr <static-ip>
2. You can provide a pool of ip addresses to allow the traffic. e.g 10.0.5.0/24
aws ec2 authorize-security-group-ingress --region <region> --group-id <group-id> --protocol <tcp/udp> --port <port-no> --cidr <ip-subnet>
Backout plan:
Using AWS Console:
Sign in to the AWS Management Console.
Go to the EC2 dashboard at https://console.aws.amazon.com/ec2/.
Click on Security Groups,
Select the Security Group you want to make changes.
Click on Edit inbound Rules.
Change the Source type.
7. Click on Save changes.
Using AWS CLI:
To undo the changes:
aws ec2 revoke-security-group-ingress --region <region> --group-id <group-id> --ip-permissions IpProtocol=tcp,FromPort=8040,ToPort=8040,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
References:
https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-volumes.html