Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Restrict Ingress Access on Common Ports

A rule ensuring VPC security groups restrict ingress access on specific ports from all sources.

RuleVPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
FrameworkNIST 800-53 Revision 5
Severity
High

Rule Description

This rule enforces that the Virtual Private Cloud (VPC) security groups within your network infrastructure should restrict ingress access on specific ports from any IP address (0.0.0.0/0) in order to comply with NIST 800-53 Revision 5 security guidelines. The restricted ports include 20 (FTP - File Transfer Protocol), 21 (FTP - Secure File Transfer Protocol), 22 (SSH - Secure Shell), 3306 (MySQL), 3389 (RDP - Remote Desktop Protocol), and 4333 (custom port).

Troubleshooting Steps

If you encounter any issues while implementing this rule, you can follow these troubleshooting steps:

  2. 1.

    Verify security group settings: Check the configuration of your security groups to ensure that the ingress rules are set correctly to restrict access on the specified ports.

  4. 2.

    Verify IP address ranges: Confirm that the IP address range "0.0.0.0/0" is correctly specified in the ingress rules. Any other IP address range might allow unintended access.

  6. 3.

    Check for conflicting rules: Ensure that there are no conflicting ingress rules in your security groups that might allow unrestricted access on the specified ports. Conflicting rules can override the intended restrictions.

  8. 4.

    Verify Network ACLs: If you are using Network ACLs (NACLs) in addition to security groups, ensure that NACLs are also configured to block access on the specified ports from the IP address range "0.0.0.0/0".

Necessary Codes

In order to implement this rule effectively, you may need to interact with your cloud service provider's API or Command-Line Interface (CLI). Here are the necessary codes related to AWS CLI (Amazon Web Services Command-Line Interface) for remediation:

  2. 1.
    Get the ID of the VPC in which the security group is located:
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName --query 'SecurityGroups[0].VpcId' --output text
  2. 1.
    Configure ingress rules to restrict access on the specified ports (replace "YourSecurityGroupId" and "YourVpcId" with the actual values):
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 20 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 21 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 22 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3306 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3389 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 4333 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId

Step-by-Step Guide for Remediation

Follow these steps to remediate the rule and ensure that VPC security groups restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from 0.0.0.0/0:

  2. 1.

    Identify the VPC: Determine the VPC in which the target security group resides. This information will be required for the subsequent steps.

  4. 2.

    Access Command-Line Interface: Open your preferred Command-Line Interface (CLI) tool or terminal.

  6. 3.

    Install AWS CLI (if not already installed): If you haven't installed the AWS CLI, refer to the official AWS CLI documentation for detailed installation instructions for your operating system.

  8. 4.

    Configure AWS CLI: Once installed, configure the AWS CLI with your AWS Access Key ID, Secret Access Key, default region, and output format using the "aws configure" command.

  10. 5.

    Obtain the security group ID: Run the following command to retrieve the ID of the security group to be modified:

aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName --query 'SecurityGroups[0].GroupId' --output text

Replace "YourSecurityGroupName" with the name of the target security group.

  2. 1.
    Get the VPC ID: Run the following command to obtain the ID of the VPC in which the security group is located:
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName --query 'SecurityGroups[0].VpcId' --output text

Replace "YourSecurityGroupName" with the name of the target security group.

  2. 1.
    Restrict ingress access: Execute the following commands to restrict the ingress access on the specified ports for the identified security group and VPC:
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 20 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 21 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 22 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3306 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3389 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 4333 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId

Replace "YourSecurityGroupId" and "YourVpcId" with the actual IDs obtained from the previous steps.

  2. 1.
    Validate the changes: Check the security group rules in the AWS Management Console or by running the following command:
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName

Ensure that the ingress rules for the specified ports now restrict access to IP address "0.0.0.0/0".

  2. 1.
    Repeat for other security groups (if applicable): If you have additional security groups that require similar restrictions, repeat steps 5-8 for each security group.

By following these steps, you will successfully enforce the VPC security groups to comply with NIST 800-53 Revision 5 guidelines by restricting ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from IP address range 0.0.0.0/0. The provided CLI commands will help you automate the process, ensuring consistent security configurations across your infrastructure.

Is your System Free of Underlying Vulnerabilities?
Find Out Now