Rule: Security groups should not allow unrestricted access to ports with high risk
This rule ensures that security groups do not expose high-risk ports to unrestricted access.
| Rule | Security groups should not allow unrestricted access to ports with high risk |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that security groups in AWS do not have unrestricted access (0.0.0.0/0 or ::/0) to ports that are considered high risk according to AWS Foundational Security Best Practices. By restricting access to these ports, the rule mitigates potential security vulnerabilities and helps protect the assets and data within the AWS environment.
Troubleshooting Steps:
If there are security groups found that violate this rule, the following steps can be taken to troubleshoot and remediate the issue:
- 1.
Identify the security groups in violation: Use the AWS Management Console or AWS Command Line Interface (CLI) to identify the security groups that have unrestricted access to high-risk ports.
- 2.
Verify the ports and IP ranges: Double-check the ports and IP ranges that are defined in the security group rules. Ensure that ports with high risk are not configured to allow access from all IP addresses (0.0.0.0/0 or ::/0).
- 3.
Evaluate the necessity of the existing rules: Review the current traffic requirements and determine if the existing rules are necessary. Consider if the high-risk ports should be restricted to specific IP ranges or if they can be blocked altogether.
- 4.
Modify the security group rules: If it is determined that the existing rules need to be modified, use the AWS Management Console or CLI to edit the security group rules. Update the rules to restrict access to the high-risk ports to specific IP ranges or remove them entirely if they are not needed.
Necessary Codes:
If you prefer to use the AWS CLI for remediation, the following code snippets can be used:
To describe the security group rules:
aws ec2 describe-security-groups --group-ids <security-group-id>
To modify the security group rules:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --cidr <ip-range>
Replace
<security-group-id><protocol><port><ip-range>Step-by-Step Guide for Remediation:
To remediate the violation, follow these step-by-step instructions:
- 1.Identify the security group(s) violating the rule by using the AWS Management Console or executing the following command in the AWS CLI:
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?ContainsHighRiskPorts(@, ToLong(@.FromPort), ToLong(@.ToPort))]]' --output table
- 1.
Review the identified security group(s) and their associated rules. Take note of the high-risk ports and the IP ranges that have unrestricted access.
- 2.
Evaluate the necessity of the existing rules. Consider if the high-risk ports need to be accessible to all IP addresses or if they can be restricted to specific ranges or blocked completely.
- 3.
Update the security group rules to restrict access to the high-risk ports. You can use the AWS Management Console or execute the following command in the AWS CLI:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --cidr <ip-range>
Replace
<security-group-id><protocol><port><ip-range>- 1.
Repeat steps 4 for each security group that violates the rule.
- 2.
Verify that the rule violation has been resolved by rechecking the security group rules using the AWS Management Console or CLI.
By following these steps, you can ensure that security groups do not allow unrestricted access to high-risk ports in line with AWS Foundational Security Best Practices.