Profile Applicability:
- Level 1
Description:
Oracle database services typically use TCP ports 1521, 2483, and 2484 for communication. These ports are used for Oracle database listener services, which can be vulnerable if exposed to the internet. Ingress traffic to these ports from the internet can allow unauthorized access to the database, increasing the risk of data breaches and attacks. This SOP ensures that no Amazon EC2 instances have open access to these ports from the public internet (0.0.0.0/0 or ::/0) by inspecting and configuring the appropriate security group rules for EC2 instances.
Rationale:
Exposing Oracle database ports to the internet, such as TCP 1521, 2483, and 2484, makes the instance vulnerable to attack. By ensuring these ports are blocked from external access, you reduce the attack surface and prevent unauthorized access to sensitive database systems. Only authorized users or systems within the internal network should have access to these ports, and the configuration should be aligned with best practices for securing database services.
Impact:
Pros:
Enhances the security posture by preventing unauthorized internet access to sensitive database ports.
Reduces the risk of data breaches and Oracle-related exploits.
Ensures compliance with security best practices and organizational security policies.
Cons:
If access is required for legitimate external use cases, additional configurations such as VPNs, NAT gateways, or specific IP whitelisting will be needed.
Default Value:
By default, EC2 instances are associated with security groups that may allow inbound traffic on any port unless explicitly restricted. Security groups should be configured to prevent unrestricted ingress to critical Oracle database ports from the internet.
Pre-requisite:
AWS IAM permissions:
ec2:DescribeSecurityGroups
ec2:ModifySecurityGroups
AWS CLI installed and configured.
Familiarity with EC2 security groups, port management, and Oracle database configurations.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EC2 under Services.
Click on Security Groups under Network & Security.
Identify the Security Groups associated with your EC2 instances.
For each Security Group associated with an EC2 instance running Oracle, check the Inbound Rules.
Ensure that TCP ports 1521, 2483, and 2484 are not open for 0.0.0.0/0 or ::/0 (which represents the entire internet).
If these ports are open to the internet, remove or modify the inbound rules to restrict access to only trusted IP addresses or internal resources.
Using AWS CLI:
1. To list all security groups and their associated inbound rules, use the following command:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`1521` || ToPort==`2483` || ToPort==`2484`]}'This command will show any security group rules allowing ingress to Oracle database ports 1521, 2483, or 2484.
2. If any security group allows ingress from 0.0.0.0/0 or ::/0 to these ports, run the following command to revoke the ingress rule:
aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 1521 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 2483 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 2484 --cidr 0.0.0.0/0
3. After revoking the public access rule, verify the update:
aws ec2 describe-security-groups --group-id <group-id> --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`1521` || ToPort==`2483` || ToPort==`2484`]}Implementation Steps:
Using AWS Console:
Open the AWS Management Console
Navigate to EC2.
Go to Security Groups under Network & Security.
For each security group associated with EC2 instances running Oracle:
Select the security group and click Edit inbound rules.
Check for any rules that allow ingress to TCP ports 1521, 2483, or 2484 from 0.0.0.0/0 or ::/0.
Remove or edit these rules to restrict access to only trusted sources (e.g., internal network, specific IP ranges, or VPN connections).
Save the updated rules and verify the configuration.
Using AWS CLI:
1. List the security groups and check for public ingress on Oracle ports:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`1521` || ToPort==`2483` || ToPort==`2484`]}'2. Revoke the ingress rules that allow traffic from 0.0.0.0/0 or ::/0:
aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 1521 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 2483 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <group-id> --protocol tcp --port 2484 --cidr 0.0.0.0/
3. Verify that the changes have been applied:
aws ec2 describe-security-groups --group-id <group-id> --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`1521` || ToPort==`2483` || ToPort==`2484`]}'Backout Plan:
If revoking the rules causes loss of legitimate access to Oracle services:
Identify the affected security group and verify the required IP access.
Revert the revoked rules by adding back the necessary access for the trusted IP range or network.
aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 1521 --cidr <trusted-ip-range> aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 2483 --cidr <trusted-ip-range> aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol tcp --port 2484 --cidr <trusted-ip-range>
Verify that the access has been restored and that the configuration aligns with security policies.