Rule: VPC Security Groups Should Restrict Ingress Access
This rule focuses on restricting access on common ports from 0.0.0.0/0 in VPC security groups.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description
This rule enforces the restriction of ingress access on specific ports (20, 21, 22, 3306, 3389, and 4333) from the IP range 0.0.0.0/0 (any IP address) within a Virtual Private Cloud (VPC) environment. The purpose is to enhance the security posture of the VPC by limiting access to these ports to only authorized entities. This rule specifically applies to the FedRAMP Low environment, Revision 4.
Troubleshooting Steps
If there are any connectivity issues related to the ingress access on the specified ports, you should follow these troubleshooting steps:
- 1.Verify the security group associated with the affected instance(s).
- 2.Confirm that the inbound rules on the security group allow access on the necessary ports (20, 21, 22, 3306, 3389, and 4333) from the designated IP range (0.0.0.0/0).
- 3.Ensure that the affected instances are associated with the correct security group.
- 4.Check if any network ACLs (Access Control Lists) are blocking the traffic on the specified ports.
- 5.If applicable, make sure that any network load balancers or firewall rules associated with the instances are properly configured.
Necessary Codes
To implement this rule, you need to modify the inbound rules of the relevant security groups in your VPC. Here is an example code snippet:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 4333 --cidr 0.0.0.0/0
Replace
<security-group-id>Step-by-Step Guide for Remediation
Follow these step-by-step instructions to ensure that the ingress access on ports 20, 21, 22, 3306, 3389, and 4333 is properly restricted within your VPC:
- 1.
Identify the security group(s) associated with the instance(s) that require the rule modification.
- 2.
Access the AWS Management Console or use the AWS CLI (Command Line Interface) to log in to your AWS account.
- 3.
Open the Amazon VPC service.
- 4.
Select "Security Groups" from the left-hand menu.
- 5.
Locate the security group(s) associated with the affected instance(s).
- 6.
Select the appropriate security group to view its details.
- 7.
In the "Inbound rules" section, check if any existing rules allow access on ports 20, 21, 22, 3306, 3389, and 4333 from 0.0.0.0/0.
- 8.
If such rules exist, select them and click on the "Delete" or "Remove" button to remove them.
- 9.
Once the old rules are removed, click on the "Add Rule" button or similar to create new inbound rules.
- 10.
Add inbound rules for each required port (20, 21, 22, 3306, 3389, and 4333), specifying the following parameters:
- Type: "Custom TCP Rule"
- Port Range: The respective port number
- Source: "Custom" and enter "0.0.0.0/0" to restrict access to any IP address.
- 1.
Repeat step 10 for each required port.
- 2.
After adding all the necessary rules, click on the "Save" or "Apply" button to apply the changes.
- 3.
Verify that the new inbound rules are appropriately configured and restricting access as intended.
By following these steps, you will successfully restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from 0.0.0.0/0 within your VPC for the specified FedRAMP Low Revision.