Profile Applicability:

 Level 2

Description:

This check ensures that no security groups in your AWS environment allow ingress (incoming) traffic from 0.0.0.0/0 or ::/0 (representing all IPv4 and IPv6 addresses) to high-risk ports (such as port 22 for SSH, 3389 for RDP, etc.). Allowing such traffic without restrictions could expose your resources to unauthorized access, making them vulnerable to attacks.

Rationale:

Allowing unrestricted ingress from any source to high-risk ports poses significant security risks to your AWS infrastructure. High-risk ports are typically used for remote access (e.g., SSH for Linux/Unix-based instances, RDP for Windows instances). If these ports are left open to the internet, they become prime targets for attackers attempting brute-force attacks, exploits, or other malicious activities. Ensuring that ingress to these ports is restricted minimizes the risk of unauthorized access to sensitive resources.

Impact:

  • Security: Unauthorized access to EC2 instances and other resources exposed to the internet can result in data breaches, service disruptions, or system compromises.

  • Compliance: Failure to restrict high-risk ports may violate security standards and compliance requirements (e.g., PCI-DSS, HIPAA, SOC 2, etc.).

  • Service Downtime: An exposed security vulnerability could lead to service outages or security incidents that might affect the availability of your resources.

Default Value:

By default, security groups allow all inbound traffic, which can expose your resources to high-risk ports if not configured correctly.

Pre-Requisites:

  • AWS Management Console access or AWS CLI installed with appropriate permissions to describe and modify security group rules.

  • Familiarity with security best practices and high-risk ports (e.g., port 22 for SSH, port 3389 for RDP, port 3306 for MySQL, etc.).

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 dashboard.

       

  1. In the left-hand menu, under Network & Security

         

  1. click Security Groups.

               

  1. Select each security group and check the Inbound Rules.

       

  1. Verify that no rules allow ingress from 0.0.0.0/0 or ::/0 to high-risk ports like:

    • 22 (SSH)

    • 3389 (RDP)

    • 3306 (MySQL)

    • 5432 (PostgreSQL)

  1. If any rules with 0.0.0.0/0 or ::/0 for high-risk ports are found, they must be modified.

     

Using AWS CLI:

  1. Run the following command to list all security groups in your AWS region:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions}'


  1. For each security group, check the inbound rules. Pay special attention to any IpRanges with 0.0.0.0/0 or ::/0 for high-risk ports. For example:

aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[*].IpPermissions[?FromPort==`22`].IpRanges'


Repeat the check for other high-risk ports (e.g., 3389, 3306).

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 dashboard

   

  1.  go to Security Groups.

               

  1. Select each security group and review the Inbound Rules.

         

     

  1. If any rule allows ingress from 0.0.0.0/0 or ::/0 for high-risk ports:

    • Click Edit Inbound Rules.

 

  • Modify or delete the rule that allows access to the high-risk port.

   

  • For instance, you can limit access to specific IP addresses or ranges, or you can use VPNs and bastion hosts to manage remote access.

  1. After reviewing all security groups, click Save Rules.

       

Using AWS CLI:

  1. To identify any rules that allow ingress from 0.0.0.0/0 or ::/0 to high-risk ports (e.g., 22, 3389), run the following command:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions}' --output table


  1. If any security group contains rules with unrestricted access (e.g., 0.0.0.0/0 or ::/0), run the following command to revoke those permissions

 aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr 0.0.0.0/0


  1. For example, to remove SSH access (port 22) from 0.0.0.0/0:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0


  1. Repeat for all high-risk ports and all security groups.

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 > Security Groups.

  3. Identify the security groups that previously allowed ingress from 0.0.0.0/0 or ::/0 to high-risk ports (e.g., 22, 3389, 3306, etc.).

  4. Edit the inbound rules:

    • Re-add the rules to allow unrestricted access from 0.0.0.0/0 or ::/0 to the necessary ports, based on operational requirements.

  5. Save the changes to apply the updates.

  6. Validate the configuration and test connectivity to ensure systems are functioning as expected.

Using AWS CLI:

Retrieve the current configuration of the security group:

aws ec2 describe-security-groups --group-ids <security-group-id>
Re-add the rules allowing unrestricted ingress to high-risk ports:
aws ec2 authorize-security-group-ingress \
--group-id <security-group-id> \
--protocol tcp \
--port <port-number> \
--cidr 0.0.0.0/0

  1. Verify that the rules were added successfully:

    aws ec2 describe-security-groups --group-ids <security-group-id>

References:

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

4.4

Implement and manage a firewall on servers to restrict unauthorized access.

v8

4.5

Protect network communications by encrypting sensitive data and restricting access to trusted IP ranges.

v8

13.1

Maintain an inventory of network boundaries and ensure they are protected by appropriate access controls.