Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound access (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to TCP port 22, which is used for SSH (Secure Shell) connections. Allowing public access to SSH exposes EC2 instances to brute-force attacks, unauthorized logins, and potential exploitation. Restricting SSH access to trusted IP ranges or internal networks reduces attack surface and improves overall security posture. 

Rationale:

SSH provides administrative access to Linux-based EC2 instances. If port 22 is open to the entire internet, attackers can continuously attempt to guess credentials, keys, or exploit SSH vulnerabilities. Restricting access to specific IPs or using secure alternatives such as AWS Systems Manager Session Manager or bastion hosts helps protect instances from unauthorized remote access and aligns with security best practices under CIS, SOC 2, ISO 27001, and NIST 800-53 frameworks. 

Impact:

  • Positive Impact: Reduces risk of unauthorized administrative access, brute-force attacks, and potential system compromise.

  • Negative Impact: May cause temporary connection issues for administrators if trusted IPs are not properly whitelisted. 


Default Value:

By default, newly created Security Groups deny all inbound traffic until rules are manually added. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress. 


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to EC2 → Security Groups.
  3. Select each Security Group and go to the Inbound Rules tab.
  4. Review all rules allowing access to TCP port 22.
  5. If any rule has a source of 0.0.0.0/0 or ::/0, it is non-compliant.


Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Click Edit inbound rules.

  4. Identify any rule that allows access to port 22 from 0.0.0.0/0 or ::/0.

  5. Delete the public rule or modify it to allow access from:

    • Specific administrative IPs (e.g., your office or VPN CIDR).

    • Internal subnets within the same VPC (e.g., 10.0.0.0/16).

  6. Click Save rules.

  7. Test SSH access from the authorized network.

Backout Plan:

Using AWS Console:

  1. If administrators lose access after the change, temporarily re-add access for a specific IP (not 0.0.0.0/0).
  2. Configure a bastion host or use AWS Systems Manager Session Manager for secure administrative access going forward.

References: