Profile Applicability:
Level 1
Description:
AWS Security Groups provide stateful filtering for inbound and outbound network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress (0.0.0.0/0) to remote server administration ports, such as:
SSH (Port 22 - TCP, UDP, ALL)
RDP (Port 3389 - TCP, UDP, ALL)
Allowing public access (0.0.0.0/0) to these ports significantly increases the risk of unauthorized access and potential compromise.
Rationale:
Exposing remote administration ports (e.g., SSH 22, RDP 3389) to the entire internet (0.0.0.0/0) significantly increases security risks, including:
Brute-force attacks on SSH and RDP.
Unauthorized access, potentially leading to data breaches.
Automated scanning and exploitation by cybercriminals.
Organizations should restrict remote access to trusted IP addresses, use VPNs, or leverage AWS Systems Manager Session Manager for secure administration.
Impact:
If unrestricted access (0.0.0.0/0) is removed, administrators must ensure an alternative access mechanism is in place (e.g., VPN, bastion host, AWS Session Manager) to maintain connectivity.
Without an alternative, legitimate users may lose access to AWS instances.
Default Value:
By default, AWS does not open SSH (22) or RDP (3389) to 0.0.0.0/0 when creating security groups. However, users often manually add overly permissive rules.
Pre-Requisites:
AWS CLI Installed (for command-line checks and modifications).
IAM Permissions Required:
ec2:DescribeSecurityGroups (to audit security groups).
ec2:RevokeSecurityGroupIngress (to remove non-compliant rules).
Alternative Secure Access Mechanism Available:
AWS Systems Manager Session Manager
VPN or Bastion Host (Jump Server)
Whitelisted IPs from corporate network
Security Group Review Process to validate required network rules before making changes.
Remediation:
Test Plan:
Using AWS Console
Sign in to the AWS Management Console.
Navigate to the VPC Dashboard: AWS VPC Console.
In the left navigation panel, select Security Groups.
For each security group:
Select the security group.
Click the Inbound Rules tab.
Identify rules with:
Port 22 (SSH) or 3389 (RDP)
Protocol: TCP (6), UDP (17), or ALL (-1)
Source: 0.0.0.0/0
Implementation Steps:
Using AWS Console
Sign in to the AWS Management Console.
Navigate to the VPC Dashboard: AWS VPC Console.
In the left navigation panel, select Security Groups.
For each security group:
Select the security group.
Click Edit inbound rules.
Identify rules with:
Port 22 or 3389
Source: 0.0.0.0/0
Update the source field to a trusted IP range (e.g., VPN, corporate IP, or Bastion Host).
OR Delete the rule if unnecessary.
Click Save rules.
Backout Plan:
If necessary access is lost:
Restore a temporary security group rule allowing access from a specific trusted IP:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <your-trusted-ip>/32
Ensure AWS Systems Manager is enabled for future remote access.
Implement a bastion host or VPN before removing wide-open access again.