Rule for VPC Security Group Ingress Access
This rule ensures VPC security groups restrict ingress access on common ports from specific IP ranges.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description
The VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from the IP range 0.0.0.0/0. This rule is implemented to align with the guidelines provided in the NIST Cybersecurity Framework (CSF) v1. Restricting access to these specific ports from any source IP other than the specified IP range reduces the risk of unauthorized access and strengthens the overall security of the VPC.
Troubleshooting Steps (if applicable)
If any issues arise while implementing this rule, the following troubleshooting steps can be taken:
- 1.Verify VPC Security Group: Verify that the targeted VPC security group is correctly associated with the concerned resources, such as EC2 instances or RDS instances.
- 2.Review Ingress Rules: Double-check the ingress rules specified for the targeted security group and ensure that they include ports 20, 21, 22, 3306, 3389, and 4333 with the desired IP range.
- 3.Confirm Access Restriction: Confirm that the ingress access for the specified ports from the IP range 0.0.0.0/0 is denied while allowing access to the desired IP range.
- 4.Validate Network ACL: Verify the network ACL associated with the subnets to ensure that it is not blocking inbound traffic on the specified ports.
Necessary Code (if applicable)
To implement the rule, modify the ingress rules for the relevant VPC security group to allow access only from the specified IP range (0.0.0.0/0) on ports 20, 21, 22, 3306, 3389, and 4333. Below is an example JSON representation of the relevant security group rules:
{ "IpProtocol": "tcp", "FromPort": 20, "ToPort": 20, "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow inbound access on port 20" } ] }, { "IpProtocol": "tcp", "FromPort": 21, "ToPort": 21, "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow inbound access on port 21" } ] }, { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow inbound access on port 22" } ] }, { "IpProtocol": "tcp", "FromPort": 3306, "ToPort": 3306, "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow inbound access on port 3306" } ] }, { "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow inbound access on port 3389" } ] }, { "IpProtocol": "tcp", "FromPort": 4333, "ToPort": 4333, "UserIdGroupPairs": [], "IpRanges": [ { "CidrIp": "0.0.0.0/0", "Description": "Allow inbound access on port 4333" } ] }
Note: Modify the security group ID, description, and any other applicable fields as per your actual configuration.
Remediation Steps
To implement the necessary changes and remediate the rule violation, follow these steps:
- 1.
Identify the relevant VPC security group: Determine the security group associated with the resources (EC2 instances, RDS instances, etc.) where you want to restrict ingress access.
- 2.
Access the VPC Security Groups pane: Open the AWS Management Console and navigate to the VPC service.
- 3.
Select the relevant security group: Locate and select the security group associated with the resources.
- 4.
Modify the inbound rules: In the "Inbound Rules" section, edit the existing rules or add new rules to allow access on ports 20, 21, 22, 3306, 3389, and 4333 only from the specified IP range (0.0.0.0/0).
- 5.
Save the changes: After configuring the desired rules, save the changes made to the security group.
- 6.
Validate the new rules: Verify that the ingress access to the specified ports is now restricted to the allowed IP range while denying access from other sources.
By following these steps, you will effectively restrict ingress access on the specified ports according to the NIST CSF v1 guidelines.