Profile Applicability: 

Level 2

Description

TCP port 22 is used for SSH access, which is a critical management port for EC2 instances. Allowing unrestricted ingress (from 0.0.0.0/0 or ::/0) to this port exposes instances to unauthorized access attempts, such as brute-force attacks. Restricting access to trusted IP ranges or a VPN enhances security and reduces risks.

Rationale

  • Enhanced Security: Limits exposure to unauthorized SSH access attempts.

  • Risk Mitigation: Reduces potential attack surface for brute-force and other malicious activities.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Protects instances from unauthorized SSH access attempts.

  • Reduces the risk of data breaches and exploits.

  • Improves overall security posture.

Cons:

  • Requires secure alternatives like VPNs or bastion hosts for remote SSH access.

  • Might inconvenience developers if their access IPs frequently change.

Default Value

By default, security groups may allow unrestricted access to port 22 unless explicitly configured to restrict access.

Pre-Requisite

IAM Permissions:

  • ec2:DescribeSecurityGroups

  • ec2:RevokeSecurityGroupIngress

  • AWS CLI installed and configured.

Remediation

Test Plan: Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify security groups allowing ingress to port 22 from 0.0.0.0/0 or ::/0.

Using AWS CLI:

Identify Ingress Rules Allowing Public Access:

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?FromPort==`22` && (contains(IpRanges[].CidrIp, '0.0.0.0/0') || contains(Ipv6Ranges[].CidrIpv6, '::/0'))]"

Implementation Steps: Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 Dashboard.

  3. Go to the Security Groups tab.

  4. Identify security groups with rules allowing ingress to port 22.

  5. Edit the security groups:

    • Remove the rule allowing ingress from 0.0.0.0/0 or ::/0.

    • Restrict access to trusted IP ranges, or remove the rule entirely if SSH is not required.

  6. Save the changes.

Using AWS CLI:

Revoke Insecure Ingress Rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr ::/0

Add Secure Rules for Specific IP Ranges (if SSH access is required):

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <trusted-cidr>


Backout Plan

Using AWS Console:

  1. Re-enable access by adding specific ingress rules as needed.

  2. Monitor the access and ensure it complies with security policies.

Using AWS CLI:

Restore Required Access:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <specific-cidr>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like disabling unnecessary ingress rules.