Description:
AWS security groups control the traffic that is allowed to flow into and out of your AWS resources. By default, security groups allow all traffic from anywhere. This means that anyone on the internet could connect to your resources using Telnet, which is a protocol that is often used for remote administration.
Rationale:
Allowing ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 is a security risk. This is because it allows anyone on the internet to connect to your resources using Telnet. This could allow attackers to gain unauthorized access to your systems.
Impact:
If ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 is allowed, then anyone on the internet could connect to your resources using Telnet. This could allow attackers to gain unauthorized access to your systems. This could lead to data breaches, financial losses, or even system downtime.
Default Value:
By default, security groups allow all traffic from anywhere. This means that ingress from 0.0.0.0/0 or ::/0 to Telnet port 23 is allowed by default.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS EC2 console.
- Click Security Groups in the left navigation pane.
- Select the security group that you want to modify.
- On the Inbound Rules tab, remove any rules that allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.
- Click Save.
Test Plan:
- Verify that the security group no longer allows ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.
- Try to connect to the resource using Telnet from an external machine.
- If you are unable to connect, then the security group has been modified correctly.
Implementation Plan:
- Create a policy that requires all security groups to deny ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.
- Implement the policy by modifying all security groups that allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.
- Monitor the status of the policy to ensure that no security groups allow ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.
AWS CLI Process:
- Run the following command to deny ingress from 0.0.0.0/0 or ::/0 to Telnet port 23:
aws ec2 revoke-security-group-ingress --group-id my-security-group-id --protocol tcp --port 23 --cidr 0.0.0.0/0
Using AWS GUI:
- Go to the AWS EC2 console.
- Click Security Groups in the left navigation pane.
- Select the security group that you want to modify.
- On the Inbound Rules tab, click Add Rule.
- In the Type drop-down list, select Custom TCP Rule.
- In the Protocol field, enter TCP.
- In the Port Range field, enter 23.
- In the Source field, select Custom CIDR.
- In the CIDR field, enter 0.0.0.0/0.
- Click Add.
Backout Plan:
- If you accidentally deny ingress to a security group that should not be denied, you can allow ingress by following the same steps as above, but selecting Allow instead of Deny in the Type drop-down list.
- You can also roll back the policy that requires all security groups to deny ingress from 0.0.0.0/0 or ::/0 to Telnet port 23.