Description:

This policy ensures that VPC security groups do not allow ingress traffic from public IPv4 CIDR ranges (non-RFC1918). This helps to mitigate the risk of unauthorized access to resources in the VPC.

Rationale:

By default, VPC security groups allow ingress traffic from all IPv4 CIDR ranges. This means that any device on the internet could potentially connect to resources in the VPC. If a security group is wide-open, this could allow unauthorized access to sensitive data or systems.

Impact:

If a VPC security group is wide-open, unauthorized users could gain access to resources in the VPC. This could lead to data breaches, intellectual property theft, or other security incidents.

Default Value:

By default, VPC security groups allow ingress traffic from all IPv4 CIDR ranges.

Pre-requisites:

  • Access to the AWS Management Console or the AWS CLI
  • The ability to manage VPC security groups

Remediation Steps:

  1. Open the AWS Management Console or the AWS CLI.
  2. Go to the VPC console.
  3. Click on Security Groups.
  4. Select the security group that you want to check.
  5. Click on the Inbound tab.
  6. Review the ingress rules.
  7. If any of the rules allow ingress traffic from public IPv4 CIDR ranges, remove the rules.

Test Plan:

  1. Verify that the ingress rules have been removed.
  2. Try to connect to a resource in the VPC from a device on the internet.
  3. Verify that you are unable to connect to the resource.

Implementation Plan:

  1. Follow the remediation steps above to implement the policy.
  2. Test the policy to make sure that it is working as expected.

AWS CLI Process:

To remove ingress rules from a VPC security group using the AWS CLI, you can use the following command:

aws ec2 revoke-security-group-ingress --group-name <security-group-name> --source-cidr-blocks <cidr-block>

Using AWS GUI:

To remove ingress rules from a VPC security group using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the VPC tab.
  3. Click on Security Groups.
  4. Select the security group that you want to check.
  5. Click on the Inbound tab.
  6. Delete any rules that allow ingress traffic from public IPv4 CIDR ranges.

Backout Plan:

To restore the ingress rules to the VPC security group, you can use the following command:

aws ec2 authorize-security-group-ingress --group-name <security-group-name> --source-cidr-blocks <cidr-block>

Note:

  • This policy only applies to VPC security groups.
  • If you have any questions about this policy, please contact your AWS administrator.

Reference:

  • VPC documentation: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Section 2:

  • Tags: security, ingress, public IPv4, CIDR, VPC
  • Keywords: wide-open security groups, VPC security groups, AWS policy