Profile Applicability:

 Level 2

Description

LDAP (Lightweight Directory Access Protocol) uses TCP ports 389 (unencrypted) and 636 (encrypted). Allowing inbound access to these ports from the internet can expose sensitive directory data to unauthorized users and attackers. To enhance security, ensure that these ports are restricted to trusted IP addresses only, typically within your private network or over secure VPN connections.

Rationale

  • Enhanced Security: Prevents unauthorized access to sensitive directory data.

  • Compliance: Ensures adherence to security best practices and regulatory requirements.

  • Risk Mitigation: Reduces the attack surface by limiting access to critical ports.

Impact

Pros:

  • Enhances overall security posture by restricting sensitive LDAP ports.

  • Reduces the risk of unauthorized access and potential data breaches.

  • Aligns with compliance requirements for directory service security.

Cons:

  • Requires careful configuration of security groups and firewall rules.

  • May cause temporary disruption for services relying on these ports during implementation.

Default Value

By default, EC2 instances may allow ingress to these ports if improperly configured. Explicit configuration is required to restrict internet access.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeInstances

  • ec2:DescribeSecurityGroups

  • ec2:RevokeSecurityGroupIngress

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Review all Security Groups associated with your EC2 instances.

  4. Identify any Security Groups that allow ingress to TCP port 389 or 636 from 0.0.0.0/0 or ::/0.

Using AWS CLI:

Identify Ingress Rules Allowing Public Access:

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?FromPort==`389` || FromPort==`636` && contains(IpRanges[].CidrIp, '0.0.0.0/0') || contains(Ipv6Ranges[].CidrIpv6, '::/0')]"

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify the Security Groups that allow ingress on TCP port 389 or 636.

  5. Edit the Security Groups:

    • Remove the rule allowing ingress to these ports from 0.0.0.0/0 or ::/0.

    • Restrict access to trusted IP ranges, such as your private network or specific on-premises IP addresses.

  6. Save the changes.

Using AWS CLI:

Revoke Insecure Ingress Rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 389 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 636 --cidr 0.0.0.0/0

Add Secure Rules for Specific IP Ranges:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 389 --cidr <trusted-cidr>


aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 389 --cidr <trusted-cidr>

Backout Plan

Using AWS Console:

  1. Revert the changes by adding back the necessary ingress rules with specific IP ranges.

  2. Save the changes.

Using AWS CLI:

Restore Required Access:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 389 --cidr <specific-cidr>
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 636 --cidr <specific-cidr>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like restricting unnecessary ingress rules.