Description:
This policy ensures that VPC security groups do not allow ingress traffic from public IPv4 CIDR ranges (non-RFC1918). This helps to mitigate the risk of unauthorized access to resources in the VPC.
Rationale:
By default, VPC security groups allow ingress traffic from all IPv4 CIDR ranges. This means that any device on the internet could potentially connect to resources in the VPC. If a security group is wide-open, this could allow unauthorized access to sensitive data or systems.
Impact:
If a VPC security group is wide-open, unauthorized users could gain access to resources in the VPC. This could lead to data breaches, intellectual property theft, or other security incidents.
Default Value:
By default, VPC security groups allow ingress traffic from all IPv4 CIDR ranges.
Pre-requisites:
- Access to the AWS Management Console or the AWS CLI
- The ability to manage VPC security groups
Remediation Steps:
- Open the AWS Management Console or the AWS CLI.
- Go to the VPC console.
- Click on Security Groups.
- Select the security group that you want to check.
- Click on the Inbound tab.
- Review the ingress rules.
- If any of the rules allow ingress traffic from public IPv4 CIDR ranges, remove the rules.
Test Plan:
- Verify that the ingress rules have been removed.
- Try to connect to a resource in the VPC from a device on the internet.
- Verify that you are unable to connect to the resource.
Implementation Plan:
- Follow the remediation steps above to implement the policy.
- Test the policy to make sure that it is working as expected.
AWS CLI Process:
To remove ingress rules from a VPC security group using the AWS CLI, you can use the following command:
aws ec2 revoke-security-group-ingress --group-name <security-group-name> --source-cidr-blocks <cidr-block>
Using AWS GUI:
To remove ingress rules from a VPC security group using the AWS GUI, you can follow these steps:
- Go to the AWS Management Console.
- Click on the VPC tab.
- Click on Security Groups.
- Select the security group that you want to check.
- Click on the Inbound tab.
- Delete any rules that allow ingress traffic from public IPv4 CIDR ranges.
Backout Plan:
To restore the ingress rules to the VPC security group, you can use the following command:
aws ec2 authorize-security-group-ingress --group-name <security-group-name> --source-cidr-blocks <cidr-block>
Note:
- This policy only applies to VPC security groups.
- If you have any questions about this policy, please contact your AWS administrator.
Reference:
- VPC documentation: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
Section 2:
- Tags: security, ingress, public IPv4, CIDR, VPC
- Keywords: wide-open security groups, VPC security groups, AWS policy