Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0

This rule ensures that VPC security groups enforce restrictions on TCP and UDP access from all sources.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkNIST 800-53 Revision 4
Severity
High

Rule Description:

The rule requires that the Virtual Private Cloud (VPC) security groups restrict ingress TCP and UDP access to prevent unrestricted access from any source IP address (0.0.0.0/0). This rule is in compliance with the NIST 800-53 Revision 4 security standard, which focuses on protecting the confidentiality, integrity, and availability of information systems.

Troubleshooting Steps:

If there are any issues related to this rule, follow these troubleshooting steps:

  2. 1.
    Check Security Group Rules: Ensure that the security group associated with the VPC is correctly configured with the necessary inbound rules.
  4. 2.
    Review VPC Network ACLs: Verify that the Network Access Control Lists (NACLs) associated with the subnets within the VPC do not allow unrestricted access.
  6. 3.
    Verify IP Address Range: Confirm that the rules only allow ingress TCP and UDP traffic from IP addresses within a specific range and do not include the 0.0.0.0/0 wildcard.
  8. 4.
    Review Subnet Associations: Check that the associated subnets are correct and aligned with the intended security group rules.
  10. 5.
    Subnet Route Tables: Ensure that the subnet route tables are configured properly to route traffic correctly within the VPC.

Necessary Code:

There is no specific code snippet required for this rule, as it relies on configuring and adjusting the security group rules in the AWS Management Console or through command-line interfaces.

Remediation Steps:

Follow these step-by-step instructions to remediate the rule and restrict ingress TCP and UDP access from 0.0.0.0/0 in VPC security groups:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Open the Amazon VPC dashboard.
  6. 3.
    Navigate to the "Security Groups" section.
  8. 4.
    Select the VPC security group that needs modification.
  10. 5.
    Click on the "Edit inbound rules" button.
  12. 6.
    Locate the rules allowing TCP and UDP traffic from the source IP address range 0.0.0.0/0.
  14. 7.
    Remove or modify those rules to restrict the allowed source IP address range.
  16. 8.
    Add appropriate IP address ranges or specific IP addresses from which you want to allow access (e.g., your organization's IP range).
  18. 9.
    Save the changes.
  20. 10.
    Verify that the security group rules now only allow ingress TCP and UDP traffic from the specified IP addresses or ranges.

Remember to review and test the changes, ensuring there are no unintended consequences or disruptions to your applications or services before applying them in a production environment.

Is your System Free of Underlying Vulnerabilities?
Find Out Now