Profile Applicability:
Level 1
Description:
Amazon EC2 (Elastic Compute Cloud) instances provide scalable compute capacity in the cloud. Security groups act as virtual firewalls that control inbound and outbound traffic to EC2 instances. Kerberos is a network authentication protocol that uses ports TCP 88 (Kerberos Authentication), 464 (Kerberos Change/Set Password), 749 (Kerberos 5), and 750 (Kerberos Admin). Allowing ingress from the internet to these ports can expose EC2 instances to potential attacks, such as brute-force password attacks or unauthorized access to authentication services. It is critical to ensure these ports are restricted to prevent unauthorized access.
Rationale:
Allowing unrestricted access to Kerberos ports from the internet can expose EC2 instances to various security vulnerabilities, including unauthorized authentication attempts and potential exploitation of weaknesses in the Kerberos protocol. Restricting access to these ports helps prevent malicious actors from gaining unauthorized access or disrupting authentication services, which is essential for securing the EC2 instances and associated resources.
Impact:
Pros:
Enhances security by reducing the exposure of sensitive authentication services to the internet.
Prevents unauthorized access attempts on Kerberos ports.
Aligns with best practices for securing EC2 instances and the authentication infrastructure.
Cons:
Requires configuration to allow legitimate traffic (e.g., from trusted IPs, VPNs, etc.).
Misconfiguration can result in legitimate Kerberos-based access issues.
Default Value:
By default, EC2 instances may have security groups that permit ingress to these Kerberos ports from any source (0.0.0.0/0 or ::/0). These permissions need to be manually modified to restrict access.
Pre-requisites:
AWS IAM permissions to describe and modify security groups:
ec2:DescribeSecurityGroups
ec2:ModifySecurityGroups
AWS CLI installed and configured.
Knowledge of security group configuration and Kerberos access requirements.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EC2
Security Groups in the Network & Security section.
Review the list of security groups associated with EC2 instances.
Check for any inbound rules that allow ingress to TCP ports 88, 464, 749, or 750 from 0.0.0.0/0 or ::/0.
If such rules exist, modify the security group to restrict access to these ports from specific trusted IP addresses or networks, or remove the rules entirely.
Using AWS CLI:
1. List all security groups:
aws ec2 describe-security-groups --query "SecurityGroups[*].GroupId" --output text
2. For each security group, check for ingress rules allowing TCP ports 88, 464, 749, or 750:
aws ec2 describe-security-groups --group-ids <SECURITY_GROUP_ID> --query "SecurityGroups[*].IpPermissions" --output table
Look for any rules allowing ingress on the Kerberos ports from 0.0.0.0/0 or ::/0.
If such rules exist, revoke them:
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 88 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 464 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 749 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 750 --cidr 0.0.0.0/0
Implementation Plan:
Using AWS Console:
Open the AWS Management Console
Navigate to EC2.
Go to Security Groups under Network & Security.
Select the security group associated with the EC2 instance.
Review the Inbound Rules for any rules that allow ingress on TCP ports 88, 464, 749, or 750 from 0.0.0.0/0 or ::/0.
Modify the rule to restrict access by either:
Removing the rule for Kerberos ports.
Restricting access to specific trusted IP addresses or subnets (e.g., VPN network).
Save the changes and verify that the access restrictions are applied.
Using AWS CLI:
1. List Security Groups and identify any that have open access to ports 88, 464, 749, or 750:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions}'2. Remove ingress rules for ports 88, 464, 749, or 750 from the identified Security Groups
aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 88 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 464 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 749 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 750 --cidr 0.0.0.0/0
Backout Plan:
Using AWS Console:
If the restriction causes unintended service disruptions:
Re-enable access to the ports in the Security Group settings.
Review the VPC Network ACLs and modify them as necessary to allow traffic to the affected EC2 instances.
Navigate to the Security Group or Network ACL and modify the rule to allow ingress on ports 88, 464, 749, or 750 from trusted sources.
Using AWS CLI:
If restrictions cause connectivity issues:
Revert changes by adding back the necessary ingress rules using:
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 88 --cidr <trusted-source-ip> aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 464 --cidr <trusted-source-ip> aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 749 --cidr <trusted-source-ip> aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 750 --cidr <trusted-source-ip>
References:
CIS Controls Mapping: