Profile Applicability:
- Level 1
Description:
Ensure that no EC2 instances are configured to allow ingress traffic from the internet to Elasticsearch and Kibana ports (TCP 9200, 9300, 5601). This helps prevent unauthorized access to these services and enhances security.
Rationale:
Restricting ingress traffic to Elasticsearch and Kibana ports enhances security by preventing potential unauthorized access and data breaches. It ensures that only trusted sources can communicate with these services.
Impact:
Positive Impact: Improved security posture by restricting access to critical services.
Negative Impact: Potential connectivity issues if legitimate sources are inadvertently blocked.
Default Value:
By default, security groups may allow ingress traffic from the internet. Explicit configuration is required to restrict access.
Pre-Requisite:
IAM Permissions: Ensure necessary permissions to view and modify security group settings.
AWS Services: Amazon EC2
Tools Required: AWS Management Console, AWS CLI.
Remediation:
Test plan:
Using AWS Console:
Sign In: Log in to the AWS Console.
Navigate to EC2 Dashboard.
Go to the EC2 console.
In the navigation pane, choose Security Groups.
Select the security group associated with your EC2 instances.
Click Edit inbound rules.
Remove any rules that allow ingress traffic from the internet (0.0.0.0/0) to ports 9200, 9300, and 5601
Click Save rules to apply the changes.
Using AWS CLI:
Open Terminal: Open your terminal or command prompt.
List Security Groups: Execute the following command to list all security groups:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName}'Identify Security Group: Identify the security group associated with your EC2 instances.
Revoke Ingress Rules: Execute the following command to revoke ingress rules that allow traffic from the internet to ports 9200, 9300, and 5601:
aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 9200 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 9300 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 5601 --cidr 0.0.0.0/0
Implementation:
Using AWS Console:
Log in to the AWS Console.
Navigate to EC2 Dashboard
In the navigation pane, choose Security Groups.
Review the security group rules to ensure no ingress traffic is allowed from the internet to ports 9200, 9300, and 5601.
Using AWS CLI:
Open Terminal: Open your terminal or command prompt.
List Security Groups: Execute the following command to list all security groups:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName}'Identify Security Group: Identify the security group associated with your EC2 instances.
Revoke Ingress Rules: Execute the the following command to revoke ingress rules that allow traffic from the internet to ports 9200, 9300, and 5601:
aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 9200 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 9300 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 5601 --cidr 0.0.0.0/0
Backout Plan:
Using AWS Console:
If disabling access to Elasticsearch and Kibana ports causes issues, re-enable the necessary inbound rule by editing the security group.
Allow access from specific trusted IPs or range, rather than from 0.0.0.0/0.
Using AWS CLI:
To restore access to Elasticsearch or Kibana, run the following command to allow ingress from a specific IP address:
aws ec2 authorize-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 9200 --cidr <TRUSTED_IP>/32
Verify that the necessary rules are in place:
aws ec2 describe-security-groups --group-id <SECURITY_GROUP_ID>
References:
CIS Controls: