Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0

This rule ensures VPC security groups limit inbound traffic to specific IP ranges for enhanced security.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description

The VPC security groups should follow the security principle of restricting ingress TCP and UDP access from the IP range 0.0.0.0/0. This rule is aligned with the NIST 800-53 Revision 5 guidelines for enhancing the security posture of the VPC infrastructure.

Policy Details

To comply with this policy, the security groups within the Virtual Private Cloud (VPC) should be configured to only allow TCP and UDP traffic from specific IP ranges or security groups, rather than permitting unrestricted access from any IP address.

Troubleshooting Steps

If the security groups are not configured to restrict ingress TCP and UDP access from 0.0.0.0/0, potential security risks may arise. Follow these steps to troubleshoot and remediate the issue:

  2. 1.

    Identify the affected security groups: Use the AWS Management Console or AWS CLI commands to determine which security groups do not adhere to the policy.

  4. 2.

    Review security group inbound rules: Examine the inbound rules of the identified security groups to check if any TCP or UDP rules allow unrestricted access from 0.0.0.0/0.

  6. 3.

    Update security group rules: Update the security group rules to restrict TCP and UDP access to specific IP ranges or security groups. Remove any rules that allow unrestricted access from 0.0.0.0/0.

  8. 4.

    Test connectivity: After updating the security group rules, ensure that the necessary TCP and UDP connections are still functioning as intended. Test connectivity from the allowed IP ranges or security groups to verify the restrictions are correctly implemented.

Necessary Codes (if applicable)

If using AWS CLI, you can use the following commands to update security group rules.

  2. 1.
    Describe security groups:
aws ec2 describe-security-groups --group-ids <security-group-id>
  2. 1.
    Update security group inbound rules:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <tcp/udp> --port <port-number> --source-security-group-id <source-security-group-id>/source-ip-range <source-ip-range>

Replace 

<security-group-id>
with the ID of the security group you want to update. Specify the appropriate 
<tcp/udp>
protocol, 
<port-number>
, and 
<source-security-group-id>
or 
<source-ip-range>
based on your requirements.

  2. 1.
    Revoke security group inbound rules:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol <tcp/udp> --port <port-number> --source-security-group-id <source-security-group-id>/source-ip-range <source-ip-range>

Use this command to remove existing rules that allow unrestricted access from 0.0.0.0/0. Ensure you replace the placeholders as mentioned above.

Remediation Steps

Follow these step-by-step guidelines to remediate the non-compliant security groups:

  2. 1.

    Identify the security groups: Identify the security groups that need to be updated based on the defined rule/policy.

  4. 2.

    Access the AWS Management Console or AWS CLI: Log in to the AWS Management Console or use AWS CLI with appropriate credentials to access the required AWS services.

  6. 3.

    Navigate to Amazon VPC service: Select the Amazon VPC service from the AWS Management Console dashboard.

  8. 4.

    Select Security Groups: Click on "Security Groups" from the left-hand menu.

  10. 5.

    Locate the security group: Locate the security group that requires modification and click on its name to open the details page.

  12. 6.

    Update inbound rules: In the inbound rules section, modify or add rules to restrict TCP and UDP access to the required IP ranges or security groups. Remove any rules that allow unrestricted access from 0.0.0.0/0. Save the changes.

  14. 7.

    Test connectivity: After applying the changes, test the connectivity to ensure that the desired restrictions are in place and necessary connections are functioning correctly.

  16. 8.

    Repeat for other security groups: Repeat the above steps for other security groups that are non-compliant.

Regularly monitor and update security groups to ensure adherence to the specified policy.

Is your System Free of Underlying Vulnerabilities?
Find Out Now