Profile Applicability:

Level 1

Description:

AWS Security Groups provide stateful filtering for inbound and outbound network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress (0.0.0.0/0) to remote server administration ports, such as:

  • SSH (Port 22 - TCP, UDP, ALL)

  • RDP (Port 3389 - TCP, UDP, ALL)
    Allowing public access (0.0.0.0/0) to these ports significantly increases the risk of unauthorized access and potential compromise.

Rationale:

Exposing remote administration ports (e.g., SSH 22, RDP 3389) to the entire internet (0.0.0.0/0) significantly increases security risks, including:

  • Brute-force attacks on SSH and RDP.

  • Unauthorized access, potentially leading to data breaches.

  • Automated scanning and exploitation by cybercriminals.

Organizations should restrict remote access to trusted IP addresses, use VPNs, or leverage AWS Systems Manager Session Manager for secure administration.

Impact:

  • If unrestricted access (0.0.0.0/0) is removed, administrators must ensure an alternative access mechanism is in place (e.g., VPN, bastion host, AWS Session Manager) to maintain connectivity.

  • Without an alternative, legitimate users may lose access to AWS instances.

Default Value:

By default, AWS does not open SSH (22) or RDP (3389) to 0.0.0.0/0 when creating security groups. However, users often manually add overly permissive rules.

Pre-Requisites:

  1. AWS CLI Installed (for command-line checks and modifications).

  2. IAM Permissions Required:

    • ec2:DescribeSecurityGroups (to audit security groups).

    • ec2:RevokeSecurityGroupIngress (to remove non-compliant rules).

  3. Alternative Secure Access Mechanism Available:

    • AWS Systems Manager Session Manager

    • VPN or Bastion Host (Jump Server)

    • Whitelisted IPs from corporate network

  4. Security Group Review Process to validate required network rules before making changes.

Remediation:

Test Plan:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard: AWS VPC Console.

  3. In the left navigation panel, select Security Groups.

  4. For each security group:

    • Select the security group.

    • Click the Inbound Rules tab.

    • Identify rules with:

      • Port 22 (SSH) or 3389 (RDP)

      • Protocol: TCP (6), UDP (17), or ALL (-1)

      • Source: 0.0.0.0/0

Implementation Steps:
Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to the VPC Dashboard: AWS VPC Console.



  3. In the left navigation panel, select Security Groups.



  4. For each security group:

    • Select the security group.



    • Click Edit inbound rules.

    • Identify rules with:

      • Port 22 or 3389

      • Source: 0.0.0.0/0

    • Update the source field to a trusted IP range (e.g., VPN, corporate IP, or Bastion Host).



    • OR Delete the rule if unnecessary.

    • Click Save rules.

Backout Plan:

If necessary access is lost:

  1. Restore a temporary security group rule allowing access from a specific trusted IP:

    aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <your-trusted-ip>/32

  2. Ensure AWS Systems Manager is enabled for future remote access.

  3. Implement a bastion host or VPN before removing wide-open access again.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.5

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

CIS v7

9.4

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.