Rule: VPC Security Groups should restrict Ingress SSH access from 0.0.0.0/0
This rule ensures that VPC Security Groups restrict Ingress SSH access from the global IP range 0.0.0.0/0.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
VPC security groups should restrict ingress SSH (Secure Shell) access from the IP range of 0.0.0.0/0 for compliance with NIST 800-171 Revision 2. This rule ensures that only authorized users within a specific IP range can establish SSH connections to resources within the Virtual Private Cloud (VPC).
Troubleshooting Steps:
If SSH access is not properly restricted, it poses a security risk, as it allows any IP address (0.0.0.0/0) to attempt SSH connections. Here are the troubleshooting steps to ensure the restriction is properly implemented:
- 1.Identify the VPC security group(s) associated with the resources that allow SSH access.
- 2.Verify the inbound rule configuration for SSH access.
- 3.Ensure that the source IP range is set to 0.0.0.0/0 or remove any existing SSH access rule that violates the NIST 800-171 guidelines.
- 4.Update the security group(s) with the correct rule configuration.
Necessary Code:
The following code snippet provides an example of how to create a new security group rule for SSH ingress access restricted to specific IP ranges using the AWS CLI:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp \ --port 22 \ --cidr <valid-ip-range>
Replace
<security-group-id><valid-ip-range>Step-by-Step Guide for Remediation:
To remediate the VPC security group to restrict SSH access from 0.0.0.0/0 for compliance with NIST 800-171 Revision 2, follow these steps:
- 1.Identify the VPC security group(s) associated with the resources (e.g., EC2 instances) that allow SSH access.
- 2.Access the AWS Management Console or use the AWS CLI to navigate to the EC2 service.
- 3.Locate and select the appropriate VPC security group(s).
- 4.Look for the inbound rule that allows SSH access (Port 22) from 0.0.0.0/0 or any other non-restricted IP range.
- 5.Remove the existing insecure SSH rule(s) if present.
- 6.Add a new inbound rule to restrict SSH access to the specific IP range required.
- Protocol: TCP
- Port range: 22
- Source IP: Specify the valid IP range from where SSH access is allowed.
- 7.Save the changes to the security group.
- 8.Verify that the updated security group configuration restricts SSH access to the desired IP range.
By following these steps, the VPC security group will be configured to restrict SSH access from 0.0.0.0/0, adhering to the NIST 800-171 Revision 2 requirements.