Profile Applicability:

  • Level 1

Description:

This check ensures that no security groups in your AWS environment allow ingress (incoming) traffic from 0.0.0.0/0 (representing all IPv4 addresses) or ::/0 (representing all IPv6 addresses) to FTP ports 20 or 21. Allowing such unrestricted access can expose your resources to unauthorized access and potential exploits.

Rationale:

 FTP ports 20 and 21 are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications. Exposing these ports to the internet without proper access controls can lead to unauthorized access, data breaches, and potential abuse. It's essential to restrict access to trusted sources to maintain the security and integrity of your applications.

Impact:

  • Security: Unauthorized access to FTP services can lead to data breaches, service disruptions, or system compromises.

  • Compliance: Failure to restrict access to these ports may violate security standards and compliance requirements (e.g., PCI-DSS, HIPAA, SOC 2).

  • Service Downtime: Exploits targeting these ports can lead to service outages or security incidents affecting resource availability.

Default Value:

By default, security groups in AWS do not allow inbound traffic on ports 20 and 21. However, custom security group configurations might have rules that allow ingress to these ports.

Pre-Requisites:

  • AWS Management Console access or AWS CLI installed with appropriate permissions to describe and modify security group rules.

  • Familiarity with security best practices and the FTP protocol.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 dashboard.

 

  1. Under Network & Security, choose Security Groups.

             

  1. Select each security group and review the Inbound Rules.

   

  1. Verify that no rules allow ingress from 0.0.0.0/0 or ::/0 to ports 20 or 21.

   

  1. If such rules exist, they should be modified or removed.

   

Using AWS CLI:

Run the following command to list all security groups in your AWS region:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions}'

For each security group, check the inbound rules for any entries allowing ingress to ports 20 or 21 from 0.0.0.0/0 or ::/0.

If such entries exist, they should be modified or removed.

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the EC2 dashboard

                 

  1. Go to Security Groups.

           

  1. Select each security group and review the Inbound Rules.

     

  1. If any rule allows ingress from 0.0.0.0/0 or ::/0 to ports 20 or 21:

   

  • Click Edit inbound rules.

  • Locate and delete the rule allowing access to these ports.

  • Click Save rules.

   

Using AWS CLI:

To revoke the ingress rule allowing access to port 20 from 0.0.0.0/0, run:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr 0.0.0.0/0

To revoke the ingress rule allowing access to port 21 from 0.0.0.0/0, run:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr 0.0.0.0/0

Replace <security-group-id> with the ID of your security group.

Backout Plan: 

If issues arise after modifying the security group, you can restore the original rule by running:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr 0.0.0.0/0

Ensure that any restoration of rules is done with caution and in accordance with your organization's security policies.

References: