Rule: VPC Security Groups Should Restrict Ingress Access on Common Ports
This rule ensures VPC security groups restrict ingress access on specific common ports to enhance security.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description: Restricting Ingress Access on Specific Ports for VPC Security Groups
Rule Overview:
This rule enforces the restriction of ingress access on specific ports within a Virtual Private Cloud (VPC) security group. The rule mandates the limitation of access on ports 20, 21, 22, 3306, 3389, and 4333 from the IP range 0.0.0.0/0. This restriction aims to enhance the security posture of the VPC by reducing exposure to potential threats.
Rule Details:
To implement this rule, the following steps need to be followed:
- 1.Identify the VPC security group(s) where the ingress access restriction needs to be applied.
- 2.Review the existing inbound rules for the identified security group(s) to ensure no conflicts or overlaps with the expected changes.
- 3.Determine the correct port numbers (20, 21, 22, 3306, 3389, and 4333) that need to be restricted for ingress access.
- 4.Validate that the IP range 0.0.0.0/0 is currently allowed access on the specified ports.
- 5.Modify the existing inbound rules to enforce the restriction on the specified ports.
- 6.Update the security group's inbound rules to allow only necessary IP ranges or specific IP addresses on the specified ports, while denying access from 0.0.0.0/0.
Troubleshooting Steps:
If there are any issues encountered during the implementation of this rule, the following troubleshooting steps can be helpful:
- 1.Double-check the security group associated with the VPC to ensure that the correct group is being modified.
- 2.Verify the existing inbound rules and ensure that there are no conflicts or conditions that may interfere with the desired restriction.
- 3.Confirm that the correct port numbers are being restricted and that the services dependent on those ports are still functional.
- 4.Validate the IP range being used (0.0.0.0/0) and ensure that it is correctly specified.
- 5.If access issues persist, check for any other security groups or network ACLs within the VPC that may be overriding the desired restrictions.
Necessary Codes:
No specific code snippets are required for this rule. The implementation can be done through the AWS Management Console or via CLI commands.
Step-by-Step Guide for Remediation:
To implement the required ingress access restriction on the specified ports within VPC security groups, follow these step-by-step instructions:
- 1.Login to the AWS Management Console.
- 2.Navigate to the VPC Dashboard.
- 3.Identify the appropriate VPC associated with the security group that needs modification.
- 4.Locate the security group(s) to be modified and note down their Group IDs.
- 5.Access the EC2 Dashboard and select the "Security Groups" link from the sidebar.
- 6.Search and select the desired security group using the Group ID identified in step 4.
- 7.In the "Inbound Rules" tab, review the existing rules to ensure no conflicts or overlapping ports.
- 8.Remove any existing rules that allow ingress access from the IP range 0.0.0.0/0 on the specified ports (20, 21, 22, 3306, 3389, 4333).
- 9.Add new inbound rules to explicitly allow access only from the required IP ranges or specific IP addresses on the specified ports.
- 10.Save the changes made to the security group.
- 11.Repeat the steps for any additional security groups identified in step 4, if applicable.
By following these steps, the ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from the IP range 0.0.0.0/0 will be effectively restricted within the specified VPC security group(s).