Rule: VPC Security Groups Restrict Ingress SSH Access
This rule ensures VPC security groups restrict SSH access from 0.0.0.0/0.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Understanding VPC Security Groups and SSH Access Restrictions
VPC security groups act as a virtual firewall for your instances to control inbound and outbound traffic. In the context of cybersecurity, restricting SSH access to specific IP addresses mitigates risks by preventing unauthorized access.
Rule Details: Restrict Ingress SSH Access
Objective: To bolster security by ensuring that Secure Shell (SSH) access to EC2 instances is not open to the entire internet.
Requirement: SSH access (port 22) must only be allowed from specific, trusted IP addresses or ranges, not from
, which represents any IP address.0.0.0.0/0
Troubleshooting Steps
If a security group mistakenly allows ingress SSH from
0.0.0.0/0- 1.
Identify the Security Group with the Open Rule: Use the AWS Management Console, AWS CLI, or APIs to list all security groups and their ingress rules. Look for rules that allow traffic on port 22 from
.0.0.0.0/0 - 2.
Assess the Rule: Determine why the rule is in place. It's possible it was added for a specific but temporary purpose.
- 3.
Modify the Rule: Update the security group to restrict SSH access to a specific IP or range.
- 4.
Monitor for Unintended Consequences: After updating the security group, ensure that legitimate users are not accidentally locked out.
Necessary AWS CLI Commands
Here are the CLI commands that one might require for remediating the issue:
1. List all Security Groups and Their Rules
aws ec2 describe-security-groups --query "SecurityGroups[*].{ID:GroupId,Ingress:IpPermissions}" --output json
2. Identify the Rule to Change
Look for entries where
IpProtocolFromPortIpRanges0.0.0.0/03. Remove the Open Ingress Rule
aws ec2 revoke-security-group-ingress --group-id [SecurityGroupId] --protocol tcp --port 22 --cidr 0.0.0.0/0
Replace
[SecurityGroupId]4. Add a More Restrictive Rule
aws ec2 authorize-security-group-ingress --group-id [SecurityGroupId] --protocol tcp --port 22 --cidr [YourIP]/32
Replace
[YourIP]Step by Step Guide for Remediation
Step 1: Identify Overly Permissive Security Groups
Execute the command to list all security groups and ingress rules to identify those that allow ingress SSH from any IP address.
Step 2: Validate Necessity
Before making changes, ensure that the identified rule is not required for a legitimate purpose or by other security protocols.
Step 3: Modify the Security Group
Use the
revoke-security-group-ingressStep 4: Add a Restricted Access Rule
Replace the open rule with a new restricted rule using the
authorize-security-group-ingressStep 5: Test the Connection
After changing the rules, verify that the intended users can still SSH into the instances using the newly specified IP range.
Step 6: Continuous Monitoring
Regularly monitor and audit security groups to ensure compliance with this rule and overall security posture.
By following these steps and using the provided AWS CLI commands, you can secure your VPC security groups against common cyber threats and align with the CISA Cyber Essentials guidelines. These actions will enhance your infrastructure's security and could improve your website's SEO by demonstrating a commitment to cybersecurity.