Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound traffic (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to any port. Allowing open access to all IP addresses exposes resources to potential unauthorized access, brute-force attacks, and exploitation of vulnerabilities. Restricting ingress rules to trusted IP addresses or internal networks helps maintain a secure boundary around AWS resources.

Rationale:

Security Groups are virtual firewalls that control inbound and outbound traffic to AWS resources. Permitting unrestricted ingress (from any IP) to any port removes the primary line of defense against external attacks. Such configurations can lead to data breaches, unauthorized system access, and compliance violations. Restricting inbound access ensures adherence to the principle of least privilege and supports compliance with frameworks like CIS, SOC 2, ISO 27001, and HIPAA.

Impact:

  • Positive Impact: Significantly improves network security by reducing exposure to unauthorized or malicious traffic and ensuring compliance with best practices.

  • Negative Impact: May disrupt legitimate access if administrative or service-related IPs are not properly whitelisted before restriction.


Default Value:

By default, newly created Security Groups deny all inbound traffic until specific rules are added.

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, and ec2:AuthorizeSecurityGroupIngress.

  • Identify known and trusted IP ranges or CIDR blocks for legitimate access.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. For each Security Group, select the Inbound Rules tab.

  4. Check for any rule where:

    • Source: 0.0.0.0/0 or ::/0

    • Port Range: All or any specific port

  5. If such rules exist, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Choose Edit inbound rules.

  4. Identify any rule that allows access from 0.0.0.0/0 or ::/0.

  5. Modify the Source to a restricted IP range such as:

    • Your organization’s public IP address or VPN CIDR block.

    • The internal VPC CIDR block (e.g., 10.0.0.0/16).

  6. Click Save rules to apply the changes.

  7. Re-test application access from authorized networks to confirm connectivity.

Backout Plan:

Using AWS Console:

  1. If legitimate users lose access after tightening rules, temporarily re-add a specific source IP or CIDR to restore functionality.

  2. Document the exception and implement secure access methods like AWS Systems Manager Session Manager, Bastion Host, or VPN instead of re-enabling public access.


References:

  • Amazon EC2 Security Groups Documentation

  • AWS Security Best Practices Whitepaper

  • AWS Well-Architected Framework – Security Pillar