Profile Applicability
- Level 1
Description:
Security groups in AWS control the flow of network traffic to and from resources, including EC2 instances. By default, security groups might allow ingress from 0.0.0.0/0 to remote server administration ports (e.g., SSH on port 22, RDP on port 3389). Allowing ingress from 0.0.0.0/0 effectively opens the administration ports to the entire internet, which poses a significant security risk.
It is essential to ensure that no security groups allow unrestricted ingress from 0.0.0.0/0 to remote administration ports. This practice minimizes exposure to brute-force and other types of attacks targeting the server administration interfaces.
Rationale:
Blocking ingress from 0.0.0.0/0 to server administration ports offers several benefits:
Security: Prevents unauthorized access to server administration ports from the entire internet, limiting the attack surface.
Compliance: Meets security requirements for restricting access to critical services such as SSH and RDP, which need to be tightly controlled.
Minimized attack surface: By blocking public access to remote administration ports, the network is protected from potential brute-force attacks or unauthorized attempts to gain administrative access.
Auditability: Ensures that access to critical resources is properly monitored and restricted, providing clear visibility into who has access to these sensitive ports.
Without this restriction, public-facing EC2 instances could be exposed to the internet, allowing malicious actors to exploit vulnerabilities in remote administration services.
Impact:
Failure to block ingress from 0.0.0.0/0 to remote server administration ports can result in:
Unauthorized access: Open access to server administration ports can be exploited by attackers for unauthorized access, leading to data breaches or system compromises.
Increased risk of attacks: Allowing unrestricted access increases the likelihood of successful brute-force attacks or exploitation of known vulnerabilities.
Non-compliance: Violates security best practices and compliance standards requiring restricted access to remote administration ports.
Blocking ingress from 0.0.0.0/0 ensures that only authorized users or systems have access to critical administration ports.
Default Value:
By default, AWS security groups may allow ingress from 0.0.0.0/0 to ports like SSH (port 22) and RDP (port 3389) if not explicitly configured otherwise. This default setting should be modified to restrict access.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
ec2:DescribeSecurityGroups
ec2:RevokeSecurityGroupIngress
ec2:AuthorizeSecurityGroupIngress
Access to EC2 instance security groups to modify ingress rules
Remediation:
Test Plan:
Using AWS Console:
Go to the EC2 Console.
In the Security Groups section, review the inbound rules for each security group.
Identify any security groups that allow ingress from 0.0.0.0/0 to ports like SSH (22) or RDP (3389).
Modify the Inbound rules to block access from 0.0.0.0/0 to these ports and ensure that access is restricted to trusted IP addresses.
Using AWS CLI:
aws ec2 describe-security-groups --query "SecurityGroups[].[GroupName, IpPermissions]" --output table
To check if any security group allows ingress from 0.0.0.0/0:
aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]].GroupName" --output table
Implementation Plan:
Using AWS Console:
Modify security group to block ingress from 0.0.0.0/0:
Go to the EC2 Console.
In the Security Groups section, find the security group that allows ingress from 0.0.0.0/0 on remote administration ports.
Modify the Inbound rules to remove any rules allowing 0.0.0.0/0 for ports like SSH (22) or RDP (3389).
If necessary, add more restrictive rules to allow access only from specific IP addresses or address ranges.
Verify the changes:
After modifying the rules, ensure that the security group no longer allows ingress from 0.0.0.0/0 to sensitive administration ports.
Using AWS CLI:
Revoke ingress from 0.0.0.0/0 on remote server administration ports:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
Add more restrictive ingress rules:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <trusted-ip-range>/32 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr <trusted-ip-range>/32
Verify that no security groups allow ingress from 0.0.0.0/0:
aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]].GroupName" --output table
Backout Plan:
Using AWS Console:
If restricting ingress causes connectivity issues:
Go to the EC2 Console.
Revert the security group to allow ingress from 0.0.0.0/0 on remote administration ports (SSH or RDP) temporarily if needed for troubleshooting.
Modify the rules to allow more restrictive access as necessary.
Review the security group settings to ensure only the necessary IP addresses or ranges have access to the remote administration ports.
Using AWS CLI:
Revert ingress rules temporarily if remote access issues occur:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
Revert back to restrictive access rules once issues are resolved:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0