Profile Applicability:

Level 2

Description:

Restricting SSH access to specific, trusted IP addresses helps protect your Lightsail instances from unauthorized access. By limiting which IP addresses can connect to the instance over SSH, you reduce the attack surface and improve the overall security of the instance.

Rationale:

Allowing unrestricted SSH access (default port 22) can expose your instance to brute-force and other attacks. By restricting SSH access to only trusted IP addresses, you prevent unauthorized users from gaining access to your instances, even if they know the SSH credentials. This approach enhances the security of the instance and protects sensitive data and configurations.

Impact:

Pros:

  • Enhanced Security: Restricting SSH access to only authorized IPs prevents unauthorized attempts to connect.

  • Reduced Exposure: Reduces the attack surface and mitigates brute-force and password-guessing attacks.

  • Improved Compliance: Meets security best practices and compliance requirements for restricted administrative access.

Cons:

  • Limited Access: If the trusted IP address changes (e.g., if using dynamic IPs), SSH access may be temporarily disrupted until the change is reflected in the firewall rules.

  • Management Overhead: Requires ongoing management to ensure that any new authorized IPs are added and old IPs are removed as needed.

Default Value:

By default, Lightsail instances have SSH access open to all IP addresses. No restrictions are applied unless configured.

Pre-requisites:

  • Administrative access to the Lightsail Console or AWS CLI.

  • The IP address(es) that should be granted SSH access.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Console

  2. In the  dashboard, navigate to Networking and then select Firewall.

  3. Under the Firewall tab, find the rule for SSH (port 22).

  4. Modify the inbound rule to restrict SSH access to only specific IP addresses:

    • Select Add another rule.

    • In the Application field, choose SSH.

    • In the Source type field, choose Custom and enter the trusted IP address or IP range (CIDR format).

    • Save the rule.

  5. Confirm that only the trusted IP addresses can access the instance via SSH.

  6. Test by attempting to access the instance from a non-authorized IP to verify that the access is denied.

Using AWS CLI:

  1. List the instances to identify the instance you want to modify:

     aws get-instances


  2. Run the following command to list the firewall rules associated with the instance: 

    aws get-instance-access-details --instance-name <instance-name>


  3. To add a rule that restricts SSH access to a specific IP, run: 

    aws put-instance-public-ports --instance-name <instance-name> --port 22 --cidr <trusted-ip>/32


  4. Verify that the firewall rule has been successfully updated by listing the instance access details again: 

    aws get-instance-access-details --instance-name <instance-name>


Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console.

  2. Navigate to Networking and click on Firewall.

  3. In the Inbound Rules section, locate the SSH (port 22) rule.

  4. Edit the rule to restrict access to specific IP addresses:

    • Select Custom under Source type and enter the trusted IP address or IP range.

  5. Save the changes to restrict SSH access.

  6. Confirm that the changes have been applied by verifying the firewall configuration and attempting SSH access from an unauthorized IP.

Using AWS CLI:

  1. List all instances using: 

    aws get-instances


  2. Add the rule to allow only the trusted IP to access the instance: 

    aws put-instance-public-ports --instance-name <instance-name> --port 22 --cidr <trusted-ip>/32


  3. Verify the firewall rule:

     aws get-instance-access-details --instance-name <instance-name>

Backout Plan:

Using AWS Console:

  1. If issues arise, revert the changes by modifying the firewall rule to allow SSH access from all IP addresses or a broader range.

  2. Navigate to Firewall in the Lightsail Console and modify the SSH rule to the default setting (allow all IPs or a wider range).

  3. Test the connection to ensure the instance is accessible via SSH from all required IPs.

Using AWS CLI:

  1. To revert the firewall rule and allow SSH access from all IPs, run: 

    aws put-instance-public-ports --instance-name <instance-name> --port 22 --cidr 0.0.0.0/0

  2. Verify the firewall rule changes: 

    aws get-instance-access-details --instance-name <instance-name>


References:

CIS Controls:

Version

Control ID

Control Description

v8

4.1

Ensure that SSH access is restricted to only trusted IP addresses to minimize exposure to unauthorized access.

v7

13.5

Restrict SSH access to trusted IPs, eliminating unnecessary access and reducing the attack surface.