Rule: VPC Security Groups Restrict Ingress SSH Access
This rule ensures VPC security groups restrict SSH access from 0.0.0.0/0.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
The VPC security groups should restrict ingress SSH access from the 0.0.0.0/0 IP address range for FedRAMP Low Revision 4 compliance. This rule ensures that the SSH (Secure Shell) access to the virtual private cloud (VPC) instances is only allowed from specific IP addresses, rather than allowing access from any source.
Troubleshooting Steps:
If SSH access from the 0.0.0.0/0 IP address range is allowed in the VPC security groups, it can pose a security risk and may lead to unauthorized access to the instances.
To troubleshoot this issue, follow these steps:
- 1.Review the current security group configuration.
- 2.Identify the ingress rules for SSH access.
- 3.Check if the security group allows SSH access from 0.0.0.0/0.
- 4.If SSH access from 0.0.0.0/0 is allowed, proceed with the remediation steps mentioned below.
Remediation Steps:
To remediate this issue and ensure compliance with FedRAMP Low Revision 4, follow the step-by-step guide below:
Step 1: Identify the VPC Security Group(s) to Update
- 1.Log in to the AWS Management Console.
- 2.Open the Amazon VPC service.
Step 2: Select the Security Group(s)
- 1.From the left-hand menu, click on "Security Groups".
- 2.Identify the security group(s) associated with your instances that need to be updated.
Step 3: Edit Security Group Rules
- 1.Select the security group to edit by clicking on its name.
- 2.Click on the "Inbound Rules" tab.
- 3.Locate the rule for SSH access, which is typically specified as "SSH / Port 22".
- 4.Select the corresponding rule by clicking on the "Edit" button or pencil icon.
Step 4: Modify SSH Ingress Rule
- 1.In the source field, replace the 0.0.0.0/0 with the specific IP addresses or IP address ranges that require SSH access.
- It is recommended to limit the SSH access to only trusted IP addresses, such as your organization's office network or specific VPN IPs.
- Example: If your office network's public IP is 123.45.67.89, enter "123.45.67.89/32" to allow access from only this IP.
Step 5: Save the Security Group Changes
- 1.Click on the "Save Rules" or "Apply Changes" button to save the modified rule.
- 2.Verify that the rule is updated by reviewing the inbound rules on the "Inbound Rules" tab.
Additional Notes:
- Ensure that you have sufficient permissions to modify the VPC security group rules.
- Keep a record of the IP addresses that are granted SSH access for future reference.
- Regularly review and update the security group rules as per your organization's security policies or any relevant compliance requirements.
Note: The above steps are specifically for AWS VPC security groups but similar concepts can be applied to other cloud providers' network security configurations.