Profile Applicability:

  • Level 1

Description:

MySQL typically uses TCP port 3306 for client connections. Allowing unrestricted access to port 3306 from the internet (0.0.0.0/0 or ::/0) poses a serious security risk as it exposes the MySQL database to unauthorized access. This SOP ensures that EC2 instances running MySQL or other services using port 3306 are not publicly accessible by preventing security groups from allowing ingress traffic from the entire internet. By restricting access to trusted IPs or internal networks, you minimize the risk of data breaches or SQL injection attacks.

Rationale:

Port 3306 is commonly targeted by attackers looking to exploit MySQL databases. Exposing MySQL to the internet allows potential attackers to gain unauthorized access if weak passwords or vulnerabilities are present. Restricting inbound traffic to port 3306 ensures that only authorized users or internal services can access the MySQL service, thereby reducing the attack surface and protecting sensitive data.

Impact:

Pros:

  • Improved Security: Prevents unauthorized access to MySQL databases from the public internet.

  • Reduced Risk: Limits exposure to SQL injection attacks and other potential vulnerabilities.

  • Compliance: Aligns with security best practices and compliance standards by minimizing the attack surface.

Cons:

  • Access Management: Access to MySQL will need to be configured through VPN, internal IP addresses, or secure load balancers if external access is required.

Default Value:

By default, EC2 Security Groups may allow unrestricted access to MySQL port 3306 from the internet. If no specific restrictions are applied, the database is vulnerable to exposure.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroups

    • ec2:DescribeInstances

  • AWS CLI installed and configured.

  • Understanding of Security Groups, MySQL port management, and network access controls.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

   

  1. In the left-hand navigation pane, select Security Groups under Network & Security.

           

  1. Identify the Security Groups associated with EC2 instances running MySQL.

       

  1. For each Security Group, check the Inbound Rules for port 3306:

    • Ensure TCP port 3306 is not open to 0.0.0.0/0 (IPv4) or ::/0 (IPv6), which means no open access to the internet.

       

  • If these ports are open to the internet, modify the rules to restrict access to trusted IPs, VPC subnets, or private network ranges.

     

Using AWS CLI:

To list all security groups and their associated inbound rules for MySQL port 3306, use:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`3306`]}'

To check whether any security group allows inbound traffic from 0.0.0.0/0 to port 3306, review the output and ensure no rules with 0.0.0.0/0 are present for port 3306.

If any security group allows 0.0.0.0/0 or ::/0 access to port 3306, run the following command to revoke the ingress rule:

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr ::/0

Verify the changes to confirm that no security group allows 0.0.0.0/0 or ::/0 ingress to port 3306:

aws ec2 describe-security-groups --group-id <group-id> --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`3306`]}'

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

     

  1. In the Security Groups section under Network & Security, find the security group(s) associated with your MySQL EC2 instances.

         

  1. Click on the Security Group and go to the Inbound Rules section.

       

  1. Identify any rules that allow access to port 3306 from 0.0.0.0/0 or ::/0 and remove them.

       

  1. Save the changes.

         

  1. Modify the rules to restrict access to trusted IP addresses or internal subnets.

Using AWS CLI:

To modify a security group to restrict access to port 3306, use the following command:

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr ::/0

To allow access only from specific IPs or internal subnets, use:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr <trusted-ip-range>

Backout Plan:

If removing the ingress rules causes connectivity issues to MySQL instances, follow these steps to restore access:

Identify the security group and the required access.

Revert the changes by adding the rule back to allow access from trusted IP addresses or required sources:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 3306 --cidr ::/0

Verify the access and document the restoration actions for auditing.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.