Profile Applicability:

  • Level 1

Description:

Amazon EC2 (Elastic Compute Cloud) instances provide scalable compute capacity in the cloud. To secure EC2 instances, it is crucial to control inbound traffic. TCP port 3389 is the default port used for Remote Desktop Protocol (RDP), which allows remote access to Windows instances. Allowing ingress from the internet to this port can expose EC2 instances to potential unauthorized access. It is best practice to restrict access to this port to prevent attacks such as brute-force attempts or unauthorized access.

Rationale:

Allowing unrestricted access to RDP (TCP port 3389) from the internet poses a significant security risk. It can make EC2 instances vulnerable to attacks such as brute-force password guessing or exploitation of known vulnerabilities in RDP services. Ensuring that no EC2 instances allow ingress to this port from the internet enhances security by reducing the attack surface, and mitigates the risk of unauthorized access.

Impact:

Pros:

  • Enhances security by limiting exposure to RDP attacks.

  • Reduces the risk of unauthorized access to EC2 instances.

  • Helps align with best practices for securing EC2 instances and cloud infrastructure.

Cons:

  • Legitimate RDP access will need to be restricted or managed through secure methods (e.g., VPNs, bastion hosts).

  • Requires careful management of security group rules and access policies.

Default Value:

By default, EC2 instances may be launched with security groups that permit ingress to TCP port 3389 from anywhere, especially if the instance is intended to be accessed via RDP. It is essential to manually configure security groups to restrict this access.

Pre-requisites:

  • AWS IAM permissions to describe and modify security groups:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroups

  • Access to AWS Management Console or AWS CLI.

  • Understanding of security group configuration and RDP access management.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 

       

  1. Security Groups in the Network & Security section.

                     

  1. Review the security group rules for each security group associated with your EC2 instances.

           

  1. Check for any inbound rules that allow ingress to TCP port 3389 (RDP) from sources like 0.0.0.0/0 or ::/0.

   

  1. If found, modify the security group to remove or restrict the rule to allow access only from trusted IP addresses (e.g., VPNs, bastion hosts).

Using AWS CLI:

List all security groups:

aws ec2 describe-security-groups --query "SecurityGroups[*].GroupId" --output text

For each security group, check for ingress rules allowing TCP port 3389:

aws ec2 describe-security-groups --group-ids <SECURITY_GROUP_ID> --query "SecurityGroups[*].IpPermissions" --output table

Look for any rules allowing ingress to TCP port 3389 (RDP) from 0.0.0.0/0 or ::/0.

If such rules exist, modify or delete them:

aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 3389 --cidr 0.0.0.0/0

Implementation Plan:

Using AWS Console:

  1. Open the AWS Management Console 

  2.  Navigate to EC2.

     

  1. Go to Security Groups in the Network & Security section.

             

  1. Review and select security groups associated with EC2 instances.

       

  1. Check for inbound rules that allow ingress to port 3389 from the internet (e.g., 0.0.0.0/0).

       

  1. Modify the rule to restrict access by either:

    • Removing the rule for TCP port 3389.

    • Restricting access to specific trusted IPs or networks (e.g., VPN, bastion hosts).

  1. Save the changes and verify that the access restrictions are applied.

               

Using AWS CLI:

Use aws ec2 describe-security-groups to list the security groups associated with EC2 instances.

For each group, check for rules that allow ingress on TCP port 3389.

Revoke any rules that allow unrestricted access:

aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 3389 --cidr 0.0.0.0/0

If needed, add a restricted rule to allow access only from trusted sources (e.g., specific IP addresses, VPN networks):

aws ec2 authorize-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 3389 --cidr <TRUSTED_IP>/32

Backout Plan:

If disabling ingress on port 3389 causes access issues:

  1. Identify the affected security groups and check if there is a need to allow access to RDP for specific IPs or networks.

  2. Modify the security group to add back the necessary ingress rule for TCP port 3389 with restricted access (e.g., a specific IP or subnet).

  3. Test that the RDP access is restored and only available to the intended users.

  4. Document all changes made to the security group for auditing and compliance purposes.

Reference:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

14.1

Restrict access to sensitive network ports by applying proper network-based security controls.

v8

6.6

Implement network-level access controls to prevent unauthorized access to internal services and systems.

v8

14.3

Use network segmentation to enforce security boundaries and prevent unnecessary exposure of resources.