Description:
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.
Rationale:
Removing unfettered connectivity to remote console services, such as TCP/UDP, reduces a server's exposure to risk.
Impact:
For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to port 5601 through another security group.
Default Value:
A VPC comes with a default security group. If you don’t specify a different security group when you launch the instance, the default security group will be associated with the instance. By default, the security group allows all inbound connections.
Pre-Requisite:
Identify AWS resources that exist within the default security group.
Before implementation steps create a set of least privileged security groups for those resources.
Place the resources in those security group
Remediation:
Test plan:
Sign in to the AWS Management Console
Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/home
In the left navigation, click on the security group
- Select the security group to audit
- Click on the Inbound Rules tab
- Click on the inbound rules tab in the security group.
- If you find a port 5601 with the source as 0.0.0.0/0 (anywhere) that means traffic to this port is not restricted. To restrict the traffic follow the implementation steps.
Using AWS CLI:
To describe a security group
aws ec2 describe-security-groups --group-id <give group_id>
Implementation Steps:
Log in to the AWS Management Console
Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/home
In the left navigation pane, click Security Groups
- Select the Security Group that you want to reconfigure.
- Click the Inbound Rules tab from the dashboard bottom panel.
- Click on the edit inbound rules button
- For type Kibana Port range 5601 protocol TCP and in the source column remove 0.0.0.0/0 or Anywhere give the least privilege or select my IP.
- Click on the Save button.
Using AWS CLI:
aws ec2 revoke-security-group-ingress --region us-east-1 --group-name MyMSServerSecurityGroup --protocol tcp --port 5601 --cidr 0.0.0.0/0
Backout Plan:
Sign in to the AWS Management Console.
Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/
In the navigation panel, under the SECURITY section, choose security group.
Select the Security group that you want to reconfigure.
Select the Inbound Rules tab from the dashboard bottom panel.
Click the Edit button to change the current configuration and revert the changes made.
Save the changes.
Using AWS CLI:
aws ec2 authorize-security-group-ingress --region us-east-1 --group-name MyMSServerSecurityGroup --protocol tcp --port 5601 --cidr 0.0.0.0/0
Reference:
Authorize inbound traffic for your Windows instances - Amazon Elastic Compute Cloud
describe-security-groups — AWS CLI 1.22.78 Command Reference