iCompaas Support

Profile Applicability:

Level 1

Description:

Security Groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress (::/0) to remote server administration ports, such as:

• SSH (Port 22)

• RDP (Port 3389)

Allowing public access to these ports increases the risk of unauthorized access and potential compromise of resources.

Rationale:

Exposing remote administration ports (e.g., 22 for SSH, 3389 for RDP) to the entire internet (::/0) significantly increases attack vectors such as:

• Brute force attacks on SSH and RDP services.

• Unauthorized access to servers, leading to data breaches.

• Automated scanning and exploitation by threat actors.
  Organizations should restrict remote administration to trusted IP addresses or use VPNs, bastion hosts, or AWS Session Manager for secure access.
  

Impact:

• If unrestricted access (::/0) is removed, ensure that administrators have an alternative mechanism (e.g., VPN, jump servers, AWS Systems Manager) to maintain access.

• Without an alternative, administrators may lose remote access to manage AWS instances.

Default Value:

By default, AWS does not open SSH (22) or RDP (3389) to ::/0 when creating security groups. However, users often add overly permissive rules manually.

Pre-Requisites:

1. AWS CLI Installed (for command-line operations).

2. IAM Permissions Required:

   • ec2:DescribeSecurityGroups (for auditing).

   • ec2:RevokeSecurityGroupIngress (for removing non-compliant rules).

3. Alternative Access Mechanism available to prevent lockout, such as:

   • AWS Systems Manager (Session Manager)

   • VPN Gateway

   • Bastion Host (Jump Server)

4. Security Group Review Process established before modifications.
   

Remediation:

Test Plan:

Using AWS Console

1. Sign in to the AWS Management Console.

2. Navigate to the VPC Dashboard: AWS VPC Console.

3. In the left navigation panel, select Security Groups.

4. For each security group:

   • Select the security group.

   • Click the Inbound Rules tab.

   • Identify rules with:

     • Port range: 22 (SSH) or 3389 (RDP) and Source: ::/0 (IPv6)

Implementation Steps:
Using AWS Console

1. Sign in to the AWS Management Console.

2. Navigate to the VPC Dashboard: AWS VPC Console.
   
   
   
   

3. In the left navigation panel, select Security Groups.

4. For each security group:

   • Select the security group.
     
     
     
     

   • Click Edit inbound rules.
     
     
     
     

   • Identify rules with:

     • Port 22 or 3389

     • Source: ::/0
       
       
       

   • Update the source field to a trusted IP range (e.g., corporate VPN or jump server).

   • OR Delete the rule if unnecessary.
     
     
     

   • Click Save rules.
     

Backout Plan:

If necessary access is lost:

1. Restore a temporary security group rule allowing access from a specific trusted IP:

   aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <your-trusted-ip>/32

2. Ensure AWS Systems Manager is enabled for future remote access.

3. Implement a bastion host or VPN before removing wide-open access again.
   

References:

• AWS EC2 Security Groups Documentation
  
  

CIS Controls Mapping: