Profile Applicability:

  • Level 1

Description:

Security Groups in AWS act as virtual firewalls to control inbound and outbound traffic for EC2 instances. Allowing unrestricted ingress (inbound) traffic from 0.0.0.0/0 or ::/0 to all ports (i.e., all traffic) exposes instances to the public internet, which can lead to unauthorized access or attacks. This SOP ensures that no security group allows ingress traffic from 0.0.0.0/0 or ::/0 to all ports, thereby preventing EC2 instances from being unnecessarily exposed to the internet.

Rationale:

Exposing EC2 instances to the internet without restrictions (using 0.0.0.0/0 or ::/0) for all ports is a security risk. It can result in data breaches, DoS attacks, or unauthorized access to services running on those instances. Restricting ingress traffic to only necessary IP addresses or subnets helps to minimize the attack surface and ensures that only authorized clients or networks can access the instances.

Impact:

Pros:

  • Enhanced Security: Prevents unnecessary exposure to the public internet, reducing the risk of unauthorized access.

  • Reduced Attack Surface: Limits the number of attack vectors available for exploitation.

  • Compliance: Meets security best practices for instance access control by enforcing strict ingress rules.

Cons:

  • Access Management: In some cases, legitimate use cases may require external access to EC2 instances, which will need to be managed via VPNs, bastion hosts, or other secure methods.

  • Possible Service Disruptions: Restricting access may affect applications or services that require internet-facing access.

Default Value:

By default, EC2 instances can be exposed to the internet via security group rules that allow 0.0.0.0/0 or ::/0 ingress on all ports. This SOP ensures that such configurations are not in place unless explicitly required and secured.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroupRules

    • ec2:DescribeInstances

  • AWS CLI installed and configured.

  • Understanding of EC2 Security Groups and network access controls.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

         

  1. In the Network & Security section, select Security Groups.

               

  1. For each security group, review the Inbound Rules for any rules that allow ingress from 0.0.0.0/0 or ::/0 on all ports:

    • All traffic or any rule that allows inbound traffic on all ports from 0.0.0.0/0 or ::/0 should be flagged for review.

   

Using AWS CLI:

To list all security groups and their associated ingress rules that allow traffic from 0.0.0.0/0 or ::/0, use the following command:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,IngressRules:IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0` || CidrIp==`::/0`] || Ipv6Ranges[?CidrIpv6==`::/0`]]}' --output table

Check the output to identify security groups with rules allowing 0.0.0.0/0 or ::/0 for all ports (i.e., TCP port 0-65535 or similar).

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console 

  2. navigate to EC2.

     

  1. Go to Security Groups under Network & Security.

           

  1. For each security group, check the Inbound Rules:

    • Ensure there are no rules allowing 0.0.0.0/0 or ::/0 to all ports.

         

  1. If any rules allow 0.0.0.0/0 or ::/0 on all portsedit the rule to restrict access to only trusted IP ranges or specific subnets.

     

  1. Save the changes and verify the new rules are applied.

   

Using AWS CLI:

Run the following command to list security groups with ingress rules that allow 0.0.0.0/0 or ::/0 for all ports:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,IngressRules:IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0` || CidrIp==`::/0`] || Ipv6Ranges[?CidrIpv6==`::/0`]]}' --output table

If any rules exist, revoke them:

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port <port-range> --cidr 0.0.0.0/0

aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port <port-range> --cidr ::/0

If needed, add more restrictive rules to only allow traffic from trusted IP ranges or private subnets:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <specific-port> --cidr <trusted-ip-range>

Backout Plan:

If restricting access causes connectivity issues, follow these steps to restore access:

Identify the affected security group and the rule that was removed.

Revert the changes by adding the original rule back:

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <specific-port> --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port <specific-port> --cidr ::/0

Verify that the instance or service is functioning as expected and has access.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.