Description:  

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

Rationale:

Removing unfettered connectivity to remote console services, such as TCP/UDP, reduces a server's exposure to risk.

Impact:

 For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to port 5601 through another security group.

Default Value:

A VPC comes with a default security group. If you don’t specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.


Pre-Requisite:

  • Identify AWS resources that exist within the default security group.

  • Before implementation steps create a set of least privileged security groups for those resources.

  • Place the resources in those security group



Remediation:

Test plan:

  • Sign in to the AWS Management Console 

  • Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/home 

  • In the left navigation,  click on the security group

  • Select the security group to audit
  • Click on the Inbound Rules tab
  • Click on the inbound rules tab in the security group.
  • If you find a port 5601  with the source as 0.0.0.0/0 (anywhere) that means traffic to this port is not restricted. To restrict the traffic follow the implementation steps.


Using AWS CLI:

To describe a security group

aws ec2 describe-security-groups --group-id <give group_id>

Implementation Steps:

  • Log in to the AWS Management Console

  • Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/home 

  • In the left navigation pane, click Security Groups

  • Select the Security Group that you want to reconfigure. 
  • Click the Inbound Rules tab from the dashboard bottom panel.
  • Click on the edit inbound rules button 
  • For type Kibana Port range 5601 protocol TCP and in the source column remove  0.0.0.0/0 or Anywhere give the least privilege or select my IP. 
  • Click on the Save button. 



Using AWS CLI:

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-name MyMSServerSecurityGroup
  --protocol tcp 
  --port 5601
  --cidr 0.0.0.0/0



Backout Plan:

  • Sign in to the AWS Management Console.

  • Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/

  • In the navigation panel, under the SECURITY section, choose security group.

  • Select the Security group that you want to reconfigure.

  • Select the Inbound Rules tab from the dashboard bottom panel.

  • Click the Edit button to change the current configuration and revert the changes made.

  • Save the changes.


Using AWS CLI:

aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-name MyMSServerSecurityGroup
  --protocol tcp
  --port 5601
  --cidr 0.0.0.0/0


Reference:

Authorize inbound traffic for your Windows instances - Amazon Elastic Compute Cloud 

describe-security-groups — AWS CLI 1.22.78 Command Reference