Rule: VPC Security Groups should restrict Ingress SSH access from 0.0.0.0/0
This rule focuses on restricting Ingress SSH access in VPC security groups.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description
This rule enforces the restriction of SSH access from the entire internet (0.0.0.0/0) within the VPC security groups. The rule aligns with the NIST 800-53 Revision 5 standard, which emphasizes network security and access control measures.
Troubleshooting Steps
If SSH access from 0.0.0.0/0 is allowed, it can pose a significant security risk. To troubleshoot and remediate this issue, follow the steps below:
- 1.
Identify the affected security group(s) within the VPC that permit SSH access from 0.0.0.0/0.
- 2.
Review the associated network ACLs (if applicable) to ensure they do not override the security group restrictions.
- 3.
Verify if any instances or services require SSH access from specific IP ranges or sources. If so, consider implementing a more targeted security group rule or a bastion host solution.
- 4.
Assess whether any external service or third-party connection necessitates SSH access from all IP addresses. Modify the security group rules accordingly to limit access to only trusted sources.
- 5.
Consider adopting a VPN connection or AWS PrivateLink where possible to limit SSH access to private networks or trusted partners.
Necessary Codes
No specific codes are required to address this rule. Instead, the rule instructs administrators to modify the existing security group rules to restrict SSH access.
Remediation Steps
Follow these step-by-step instructions to remediate the SSH access restriction from 0.0.0.0/0:
- 1.
Identify the security group(s) that allow SSH access from 0.0.0.0/0 by navigating to the Amazon VPC dashboard.
- 2.
In the VPC dashboard, click on "Security Groups" in the left-hand menu.
- 3.
Select the security group that needs modification.
- 4.
Under the "Inbound Rules" or "Ingress" tab, locate the rule that allows SSH access from 0.0.0.0/0.
- 5.
Edit the rule by clicking on the "Edit" or "Actions" button next to it.
- 6.
In the rule's configuration, change the source IP or CIDR range from 0.0.0.0/0 to a more restricted IP range or specific IP addresses that require SSH access.
- 7.
Save the changes.
- 8.
Review the other security group rules to ensure they align with best practices and specific requirements.
- 9.
Repeat the steps for any additional security groups that allow SSH access from 0.0.0.0/0.
- 10.
Test the updated security group configuration to confirm that SSH access is now restricted according to the defined source IP or CIDR range.
By strictly restricting SSH access to only authorized sources or IP ranges, you enhance the security posture of your VPC and align it with NIST 800-53 Revision 5 guidelines.