Profile Applicability:

  • Level 1

Description:

Security Groups in AWS define the inbound and outbound traffic rules for EC2 instances. These rules can allow traffic from specific IP addresses or ranges. When an IP range is too broad (with a subnet mask between 0 and 24), it effectively exposes resources to a wider network, increasing the risk of unauthorized access. A wide-open IP address range (e.g., 0.0.0.0/8, 0.0.0.0/16) allows traffic from a large number of IPs, which might not be necessary for the operation of the EC2 instance. This SOP ensures that no security group allows ingress or egress from overly permissive IP address ranges with a mask between 0 and 24.

Rationale:

Allowing ingress or egress traffic from wide-open IP ranges (e.g., 0.0.0.0/0, 0.0.0.0/16, etc.) increases the exposure of EC2 instances to the internet. These wide-open IP ranges can lead to unauthorized access, data breaches, or malicious attacks if not carefully managed. Restricting access to specific, trusted IP ranges ensures that only legitimate traffic can reach the instance and prevents unnecessary exposure to the public internet.

Impact:

Pros:

  • Improved Security: Prevents unauthorized access by limiting the IP ranges allowed to interact with EC2 instances.

  • Reduced Attack Surface: Minimizes the exposure of resources by enforcing strict network access controls.

  • Compliance: Meets security best practices by restricting unnecessary internet access.

Cons:

  • Access Restrictions: Some instances may require wider access for legitimate use cases (e.g., for public-facing services), which would require careful configuration of security group rules.

Default Value:

By default, EC2 security groups allow traffic from 0.0.0.0/0 or ::/0 for common services like HTTP (port 80) or HTTPS (port 443). Without proper configuration, ingress or egress rules might include wide-open IP ranges, leaving instances vulnerable.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroupRules

  • AWS CLI installed and configured.

  • Familiarity with Security Groups, IP addressing, and subnet masks.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  1. Select Security Groups under Network & Security.

             

  1. For each Security Group, check the Inbound Rules and Outbound Rules for any rule that allows access from IP address ranges with a subnet mask between 0 and 24.

  • Look for any IP address range such as 0.0.0.0/80.0.0.0/16::/8, or similar.

   

  1. Remove or update any overly permissive rules to restrict access to trusted IPs or subnets.

   

Using AWS CLI:

To list all security groups and their associated inbound and outbound rules, use the following command:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,IngressRules:IpPermissions,EgressRules:IpPermissions}' --output json

Review the rules for any IP ranges with a mask between 0 and 24:

  • Look for rules that allow access from 0.0.0.0/8, 0.0.0.0/16, or similar broad IP ranges.

If you find any such rules, revoke them using the following commands:

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port <port> --cidr <ip-range>

aws ec2 revoke-security-group-egress --group-id <group-id> --protocol tcp --port <port> --cidr <ip-range>

If you need to restrict access to specific subnets or IP ranges, authorize the necessary IP range using:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <port> --cidr <trusted-ip-range>

aws ec2 authorize-security-group-egress --group-id <group-id> --protocol tcp --port <port> --cidr <trusted-ip-range>

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. Navigate to EC2.

  1. Go to Security Groups under Network & Security.

         

  1. Select each Security Group and review the Inbound Rules and Outbound Rules.

   

  1. Identify any rules with IP ranges such as 0.0.0.0/80.0.0.0/16::/8, or ::/16.

  1. Modify or remove any rules with broad access and replace them with more restrictive IP ranges (e.g., specific subnets or trusted IPs).

     

  1. Save the changes and verify the instance's connectivity to ensure no disruption to necessary services.

   

Using AWS CLI:

Run the command to list security groups and associated ingress and egress rules:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,IngressRules:IpPermissions,EgressRules:IpPermissions}' --output json

Review the ingress and egress rules to identify any rules allowing traffic from 0.0.0.0/8, 0.0.0.0/16, or similar.
Revoke or update these rules using the AWS CLI as shown in the Test Plan section.

Backout Plan:

If restricting access to certain IP ranges causes connectivity issues:

Identify the security group and the affected rules.

Revert the changes by restoring the original rules that were modified or removed:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <port> --cidr 0.0.0.0/0

aws ec2 authorize-security-group-egress --group-id <group-id> --protocol tcp --port <port> --cidr 0.0.0.0/0

Verify the instance is accessible and that the configuration is working as intended.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.