Profile Applicability
- Level 1
Description:
Security groups act as virtual firewalls for EC2 instances, controlling inbound and outbound traffic. By default, AWS allows any IPv6 address (::/0) to access server administration ports like SSH (port 22) or RDP (port 3389), which can be a major security risk. To mitigate the risk of unauthorized access, it is essential to ensure that no security groups allow ingress from the ::/0 address range to remote server administration ports. This prevents any external access via IPv6 to critical administration ports, unless explicitly required.
Implementing this control ensures that remote server administration ports are secured against unauthorized access from the public internet via IPv6.
Rationale:
Blocking ingress from ::/0 (the entire IPv6 address space) to remote server administration ports provides the following benefits:
Enhanced security: Prevents unauthorized users from accessing critical administration ports via IPv6.
Compliance: Meets security requirements that mandate restricting administrative access to only trusted networks and addresses.
Reduced attack surface: By blocking remote administration access from the public internet, the attack surface is minimized, reducing the risk of brute force or other attacks on server administration ports.
Principle of least privilege: Only explicitly authorized IP addresses should have access to sensitive ports, ensuring that only trusted sources can connect to remote administration services.
Without this control, servers may be exposed to unauthorized remote access via IPv6, potentially leading to security breaches.
Impact:
Failure to block ingress from ::/0 to remote administration ports can result in:
Unauthorized access: Exposing administration ports to the public internet via IPv6 allows attackers to attempt unauthorized logins.
Non-compliance: Violates best practices and security standards that require strict control over remote server administration access.
Security risks: Increased risk of attacks such as brute-force login attempts or exploitation of vulnerabilities in SSH/RDP services.
Ensuring that no security groups allow ingress from ::/0 significantly reduces these risks.
Default Value:
By default, AWS security groups allow access to remote server administration ports (such as SSH and RDP) from any IP address, including ::/0, which is a global IPv6 address. This default setting needs to be explicitly modified to restrict access.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
ec2:DescribeSecurityGroups
ec2:RevokeSecurityGroupIngress
ec2:AuthorizeSecurityGroupIngress
Access to EC2 instance security groups to modify ingress rules
Remediation:
Test Plan:
Using AWS Console:
Go to the EC2 Console.
In the Security Groups section, review the inbound rules for each security group.
Identify any security groups that allow ingress from ::/0 to ports like SSH (22) or RDP (3389).
Remove or modify the rules to block access from ::/0 to these ports.
Using AWS CLI:
aws ec2 describe-security-groups --query "SecurityGroups[].[GroupName, IpPermissions]" --output table
To check if any security group allows ingress from ::/0:
aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='::/0']]].GroupName" --output table
Implementation Plan:
Using AWS Console:
Modify security group to block ingress from ::/0:
Go to the EC2 Console.
In the Security Groups section, find the security group that allows ingress from ::/0 on administrative ports.
Modify the Inbound rules to remove any rules allowing ::/0 for ports like SSH (22) or RDP (3389).
If necessary, add more restrictive rules that only allow access from trusted IP ranges.
Verify the changes:
After modifying the rules, ensure that no security group is allowing ingress from ::/0 to sensitive administration ports.
Using AWS CLI:
Revoke ingress from ::/0 on remote server administration ports:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr ::/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr ::/0Add more restrictive ingress rules:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr <trusted-ip-range>/32
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr <trusted-ip-range>/32Verify that no security groups allow ingress from ::/0:
aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?IpRanges[?CidrIp=='::/0']]].GroupName" --output tableBackout Plan:
Using AWS Console:
If restricting ingress causes connectivity issues:
Go to the EC2 Console.
Revert the security group to allow ingress from ::/0 on the remote administration ports (SSH or RDP) temporarily if needed for troubleshooting.
Modify the rules to allow more restrictive access as necessary.
Review the security group settings to ensure only the necessary IP addresses or ranges have access to the remote administration ports.
Using AWS CLI:
Revert ingress rules temporarily if remote access issues occur:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr ::/0
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr ::/0Revert back to restrictive access rules once issues are resolved:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr ::/0 aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr ::/0