Profile Applicability:
• Level 2
Description:
Securing ports on EC2 instances and other resources within a Virtual Private Cloud (VPC) is crucial for preventing unauthorized access. This involves restricting access to only necessary ports and using proper security group rules and network access control lists (NACLs). By ensuring that only secure ports are open and accessible, organizations can reduce the risk of exposure to attacks such as brute force, remote code execution, and data breaches.
Rationale:
Leaving unnecessary ports open or exposed to the internet increases the attack surface of your resources. By closing unused or insecure ports and only allowing access to necessary, secure ports (e.g., HTTPS for web traffic), you can significantly reduce the chances of an attacker exploiting vulnerable services. This is an essential aspect of network security and is required by compliance standards like PCI-DSS, HIPAA, and SOC 2.
Impact:
Pros:
Reduces the attack surface by limiting the number of open ports
Ensures that only secure, necessary services (e.g., HTTPS) are accessible
Enhances network security by restricting traffic and preventing unauthorized access
Simplifies network management by limiting complexity in security configurations
Cons:
Misconfiguration of port access may cause legitimate applications or services to become inaccessible
Requires regular reviews and updates to ensure only the necessary ports are open and that no critical ports are unintentionally closed
May require additional planning for secure access to services that require specific ports, like SSH (22) or RDP (3389)
Default Value:
By default, when an EC2 instance is launched, the associated security group allows inbound traffic for all ports unless explicitly configured otherwise. Security groups and NACLs need to be manually configured to restrict access to only the necessary and secure ports.
Pre-requisites:
IAM permissions to create and modify security groups, NACLs, and VPC resources (e.g., ec2:AuthorizeSecurityGroupIngress, ec2:RevokeSecurityGroupIngress)
Understanding of which ports need to be open for each application and instance
Knowledge of secure port management, especially for services such as SSH, RDP, HTTP, and HTTPS
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Security Groups
Review all security groups associated with EC2 instances, ensuring that only necessary ports (such as HTTPS (443) or HTTP (80)) are open to the public
Verify that ports like SSH (22) and RDP (3389) are restricted to trusted IP ranges or VPNs for secure access
Navigate to VPC > Network ACLs and ensure that network ACLs are configured to restrict access to unnecessary ports at the subnet level
Check that no security group allows unrestricted access to critical ports, such as 22 (SSH) or 3389 (RDP), from all IP addresses (0.0.0.0/0)
Using AWS CLI:
List all security groups:
aws ec2 describe-security-groups
Describe a specific security group to review its inbound rules:
aws ec2 describe-security-groups --group-ids <security-group-id>
Check that no security group allows unrestricted access on insecure ports, such as 22 (SSH) or 3389 (RDP):
aws ec2 describe-security-groups --group-ids <security-group-id> --query "SecurityGroups[0].IpPermissions"
Review network ACL settings to ensure restrictive access to unnecessary ports:
aws ec2 describe-network-acls --network-acl-id <network-acl-id>
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to EC2 > Security Groups
Select the security group associated with your EC2 instance
Review and modify the inbound rules to restrict access to only secure ports (e.g., open port 443 for HTTPS, close port 22 for SSH, etc.)
Ensure SSH (port 22) is only accessible from trusted IP addresses
Open HTTP (port 80) or HTTPS (port 443) if required for web applications
Add any additional necessary rules for application-specific traffic, ensuring they are as restrictive as possible
Navigate to VPC > Network ACLs and configure any subnet-level restrictions for secure ports (e.g., blocking inbound access to unnecessary ports like 3306 for MySQL)
Test the configuration by attempting to connect to the EC2 instance from different IP addresses or services to ensure that the correct ports are open and secure
Using AWS CLI:
Modify a security group to restrict SSH access to specific IP addresses (e.g., allow SSH only from a trusted IP):
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 22 \ --cidr <trusted-ip-range>/32
Close SSH access (port 22) for all IP addresses:
aws ec2 revoke-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 22 --cidr 0.0.0.0/0
Open HTTPS access (port 443) for all IP addresses:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp --port 443 --cidr 0.0.0.0/0
Modify network ACLs to restrict access to specific ports:
aws ec2 create-network-acl-entry \ --network-acl-id <network-acl-id> \ --rule-number 100 \ --protocol tcp \ --port-range From=22,To=22 \ --cidr-block <trusted-ip-range> \ --egress \ --rule-action deny
Backout Plan:
Using AWS Console:
Navigate to EC2 > Security Groups
Select the security group to modify or delete
Revert changes to restore access to previously open ports or allow new IP ranges if necessary
Check that all changes are compliant with the security policy
Using AWS CLI:
Revoke any changes to security group rules that allowed insecure ports or open access:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr <ip-range>
Delete any network ACL entries that restrict access to necessary ports:
aws ec2 delete-network-acl-entry --network-acl-id <network-acl-id> --rule-number <rule-number>