Rule: VPC Security Groups should restrict Ingress Access on Common Ports
This rule focuses on restricting ingress access on specific common ports in VPC security groups.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
VPC Security Group Rule for FFIEC Compliance
For federal financial institutions, it's crucial to follow the Federal Financial Institutions Examination Council (FFIEC) guidelines, which include restrictions on ingress access for certain ports to enhance security. Configuring these rules properly is essential for compliance and network security.
Description of the Rule
This rule aims at restricting access to sensitive ports which are commonly known to be entry points for potential intrusions or attacks. The following ports should not be accessible from any IP address (0.0.0.0/0):
- FTP Data Transfer (Port 20)
- FTP Control (Port 21)
- SSH (Port 22)
- MySQL Database Access (Port 3306)
- Remote Desktop (Port 3389)
- Often used by custom applications (Port 4333)
This rule reduces the attack surface by ensuring these ports are not exposed to the entire internet, which would potentially allow unauthorized access to resources within the VPC.
Step by Step Guide for Remediation
Verify Security Group Configuration
- 1.Log into the AWS Management Console.
- 2.Navigate to the 'EC2' dashboard.
- 3.On the left panel, click on 'Security Groups'.
Troubleshoot and Modify Ingress Rules
For each security group that needs to be modified:
- 1.Select the security group.
- 2.Go to the 'Inbound rules' tab.
- 3.Look for rules that allow access from
to ports 20, 21, 22, 3306, 3389, 4333.0.0.0.0/0
Remove or Update Ingress Rules via AWS CLI
If there are such rules, they need to be either removed or updated to restrict access. Below are CLI commands that could be used for modification:
# Use the revoke-security-group-ingress command to remove each unauthorized rule aws ec2 revoke-security-group-ingress --group-id <Your-Security-Group-ID> --protocol tcp --port <Port-Number> --cidr 0.0.0.0/0
Repeat this command for each port specified (20, 21, 22, 3306, 3389, and 4333). Replace
<Your-Security-Group-ID><Port-Number>Update Security Group via AWS Management Console
Alternatively:
- 1.For each rule, click on the 'Edit inbound rules' button.
- 2.Modify the 'Source', changing it from 'Anywhere' to the specific IP range required for legitimate access, or delete the rule entirely.
- 3.Click 'Save rules' after making changes.
Compliance Monitoring
To maintain FFIEC compliance, regularly monitor your VPC security groups to verify that these rules are in place and have not been altered.
Automated Compliance Checking
Use services like AWS Config to continuously monitor and record your AWS resource configurations and automatically evaluate them against desired configurations to ensure compliance.
AWS Config Rule Example
Here's how you might set up an AWS Config rule to check compliance:
# AWS Config rule that checks whether the specific ports are not open to 0.0.0.0/0
Resources:
SecurityGroupPortCheck:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: 'restricted-common-ports'
Description: 'Ensure ports 20, 21, 22, 3306, 3389, 4333 are not open to 0.0.0.0/0'
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::SecurityGroup'
InputParameters:
blockedPort1: "20"
blockedPort2: "21"
blockedPort3: "22"
blockedPort4: "3306"
blockedPort5: "3389"
blockedPort6: "4333"
Source:
Owner: 'AWS'
SourceIdentifier: 'EC2_SECURITY_GROUP_OPEN_TO_WORLD'
Using the provided guide and code will ensure that your security group configurations comply with the FFIEC requirements and enhance the overall security posture of your organization. Remember to document any changes and maintain records to demonstrate compliance during audits.