Profile Applicability:

  • Level 1

Description:

This control ensures that AWS Security Groups do not allow unrestricted inbound access (0.0.0.0/0 for IPv4 or ::/0 for IPv6) to TCP ports 1521 and 2483, which are commonly used for Oracle database connections. Exposing these ports publicly allows attackers to scan, identify, and exploit Oracle databases directly over the internet, potentially leading to data breaches and unauthorized access. Restricting these ports to known, trusted networks significantly reduces the attack surface. 

Rationale:

Oracle databases often contain highly sensitive information. Allowing unrestricted inbound access to Oracle listener ports can lead to credential brute-forcing, database enumeration, and exploitation of known vulnerabilities. By restricting access to only trusted IP ranges (for example, application servers or internal networks), organizations can minimize exposure and adhere to best practices in database security. This control supports compliance with CIS, SOC 2, ISO 27001, and NIST 800-53. 

Impact:

  • Positive Impact: Reduces the risk of unauthorized database access, data theft, and system compromise by restricting exposure to critical Oracle database ports.

  • Negative Impact: Administrators or applications outside of the allowed IP ranges will need to connect through secure methods like VPN or private VPC peering. 

Default Value:

By default, AWS Security Groups deny all inbound traffic unless explicitly configured. 

Pre-Requisite:

  • IAM permissions required: ec2:DescribeSecurityGroups, ec2:RevokeSecurityGroupIngress, ec2:AuthorizeSecurityGroupIngress.
  • Identification of trusted IP ranges or private networks that require Oracle database access.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 → Security Groups.

  3. Select each Security Group and open the Inbound Rules tab.

  4. Check for any rules where:

    • Protocol: TCP

    • Port Range: 1521 or 2483

    • Source: 0.0.0.0/0 or ::/0

  5. If any such rules are found, the Security Group is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to EC2 → Security Groups.

  2. Select the non-compliant Security Group.

  3. Click Edit inbound rules.

  4. Delete any inbound rule that allows TCP access on port 1521 or 2483 from 0.0.0.0/0 or ::/0.

  5. Add new inbound rules allowing access only from:

    • Application server CIDR blocks (e.g., 10.0.0.0/16).

    • Specific administrative IPs (e.g., 203.0.113.25/32).

  6. Click Save rules to apply the changes.

  7. Verify that Oracle connectivity functions correctly from trusted IPs or networks only.

Backout Plan:

Using AWS Console:

  1. If critical applications lose connectivity after tightening rules, temporarily re-enable access from specific trusted IPs while investigating the root cause.
  2. Implement a long-term solution using VPN, Direct Connect, or Bastion Host access to manage database connectivity securely.

References: