Rule: VPC Security Groups Should Restrict Ingress Access
This rule ensures that security groups restrict access on common ports from all sources.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | HIPAA |
| Severity | ✔ High |
Rule Description
This rule states that the security groups within the VPC should restrict the ingress access on specific ports (20, 21, 22, 3306, 3389, and 4333) from the IP range 0.0.0.0/0. This rule is applicable to ensure compliance with the HIPAA (Health Insurance Portability and Accountability Act) regulations, which aim to protect sensitive health information.
Troubleshooting Steps
If there are any issues related to the security group configuration, follow these troubleshooting steps:
- 1.Verify Security Group Rules: Check the existing rules within the security groups attached to the VPC.
- 2.Ingress Rule Presence: Ensure that there are rules present to restrict the ingress access on ports 20, 21, 22, 3306, 3389, and 4333.
- 3.IP Range: Confirm that the IP range 0.0.0.0/0 is specified for these ingress rules.
- 4.Rule Priority: Check the priority of the security group rules to ensure that the desired ingress restrictions are applied correctly.
- 5.Instances and Subnets: Verify that the security groups are associated with the correct instances and subnets within the VPC.
Necessary Codes
Here are the necessary codes to implement the ingress access restrictions within the VPC security groups:
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: MySecurityGroup
GroupDescription: Security group for HIPAA compliance
VpcId: vpc-12345678
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 20
ToPort: 20
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 21
ToPort: 21
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 3306
ToPort: 3306
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 3389
ToPort: 3389
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 4333
ToPort: 4333
CidrIp: 0.0.0.0/0
You can use the above CloudFormation (AWS CloudFormation) template code to create a security group that complies with the ingress access restrictions mentioned.
Step-by-Step Guide for Remediation
Follow these step-by-step instructions to remediate the ingress access to the specified ports from 0.0.0.0/0 within the VPC security groups:
- 1.Log in to the AWS Management Console.
- 2.Go to the EC2 dashboard.
- 3.Click on "Security Groups" in the left navigation menu.
- 4.Select the security group that needs to be modified.
- 5.Click on the "Inbound Rules" or "Inbound" tab, depending on the user interface version.
- 6.Click on "Edit inbound rules" or "Edit inbound" option.
- 7.Remove any existing rules that allow ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from 0.0.0.0/0, if present.
- 8.Click on "Add rule" or "Add inbound rule" option.
- 9.Select the "Type" as "Custom TCP Rule".
- 10.Enter the port number (20, 21, 22, 3306, 3389, or 4333) in the "Port Range" field.
- 11.Enter the IP range "0.0.0.0/0" in the "Source" or "Source IP" field.
- 12.Click on "Save" or "Add rule" to apply the ingress access restriction.
- 13.Repeat steps 8-12 for each individual port mentioned in the rule.
- 14.Verify that the ingress rules are updated as per the desired configuration by checking the security group details.
- 15.Associate the updated security group with the appropriate instances or subnets as required.
By following these steps, you can implement the necessary ingress access restrictions on specified ports within the VPC security groups for HIPAA compliance.