Profile Applicability:

  • Level 1

Description:

Disabling SSH (port 22) and RDP (port 3389) on Lightsail instances when they are not needed is an essential security practice. These ports are commonly targeted by attackers attempting to gain unauthorized access to your instances. Disabling them when not in use minimizes the attack surface and improves the overall security posture of your environment.

Rationale:

SSH and RDP are critical services used for managing Lightsail instances, but they can also expose your instances to brute-force and other types of attacks if left open unnecessarily. By disabling these ports when not needed, you reduce the risk of unauthorized access, improve security, and help maintain a more controlled and hardened environment.

Impact:

Pros:

  • Enhanced Security: Reduces the attack surface by preventing unauthorized access attempts through open SSH or RDP ports.

  • Reduced Exposure: Limits the potential for exploitation of these commonly targeted services.

  • Improved Compliance: Meets security best practices and requirements for compliance frameworks, such as ISO 27001, SOC 2, and NIST.

Cons:

  • Inconvenience for Administrative Access: Disabling SSH and RDP ports may require additional steps to re-enable access when needed for administrative tasks.

  • Requires Alternative Access Mechanisms: If SSH or RDP is disabled, other secure methods (e.g., SSM, VPN, or bastion host) may be necessary for management.

Default Value:

By default, Lightsail instances often have SSH and RDP ports open for remote access, especially when the instance is launched with the default configuration.

Pre-requisites:

  • Administrative access to the Lightsail instance.

  • Access to the Lightsail Console or CLI with sufficient permissions to modify firewall settings.

Remediation:

Test Plan:

UsingAWS Console:

  1. Log in to the AWS Console

  2. In the Lightsail dashboard, navigate to Networking and then select Firewall.

  3. Under the Firewall tab, check the inbound rules for open ports.

  4. Find the rules for SSH (port 22) and RDP (port 3389) and delete or disable these rules when access is not required.

  5. Confirm that the rules have been removed or disabled by checking the firewall configuration again.

  6. Test access to the instance to ensure that SSH and RDP ports are closed. Ensure you can still access the instance using other management methods, such as AWS Systems Manager (SSM).

Using AWS CLI:

  1. List the Lightsail instances to identify the instance you want to modify: 

    aws lightsail get-instances

  2. Run the following command to list the firewall rules associated with the instance: 

    aws lightsail get-instance-access-details --instance-name <instance-name>

  3. To remove the SSH (port 22) rule, run: 

    aws lightsail delete-instance-public-ports --instance-name <instance-name> --port 22

  4. To remove the RDP (port 3389) rule, run:

     aws lightsail delete-instance-public-ports --instance-name <instance-name> --port 3389

  5. Verify that the firewall rules have been successfully removed by listing the instance access details again.

Implementation Plan:

UsingAWS Console:

  1. Log in to the Console

  2. Navigate to the Networking section, then click on Firewall.

  3. In the Inbound Rules section, locate the SSH (port 22) and RDP (port 3389) rules.

  4. Select and delete the SSH and RDP rules or disable them if appropriate for your security posture.

  5. Verify that the ports are closed by checking the firewall configuration and trying to access the instance via SSH or RDP.

  6. If SSH or RDP is needed in the future, you can re-enable the port via the same console.

Using AWS CLI:

  1. Identify the instance to modify by running:

     aws lightsail get-instances


  2. Remove the SSH (port 22) access: 

    aws lightsail delete-instance-public-ports --instance-name <instance-name> --port 22


  3. Remove the RDP (port 3389) access: 

    aws lightsail delete-instance-public-ports --instance-name <instance-name> --port 3389


  4. Verify the ports are closed by listing the instance's access details: 

    aws lightsail get-instance-access-details --instance-name <instance-name>

Backout Plan:

UsingAWS Console:

  1. If administrative access is required and the ports were accidentally disabled, log in to the Firewall section in the Lightsail Console.

  2. Add the necessary inbound rules back for SSH (port 22) and/or RDP (port 3389).

  3. Test that the port has been re-enabled and you can access the instance via the respective protocol.

Using AWS CLI:

  1. To restore SSH (port 22) access, run: 

    aws lightsail open-instance-public-ports --instance-name <instance-name> --port 22


  2. To restore RDP (port 3389) access, run:

     aws lightsail open-instance-public-ports --instance-name <instance-name> --port 3389


  3. Verify that the ports have been re-opened by checking the instance access details: 

    aws lightsail get-instance-access-details --instance-name <instance-name>

References:

CIS Controls:

Version

Control ID

Control Description

v8

4.1

Ensure that unnecessary network ports (such as SSH and RDP) are disabled or closed on instances when they are not needed to minimize exposure.

v7

13.5

Disable or restrict unused and unnecessary network ports on systems to reduce potential attack surfaces.