Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0
High severity rule requiring VPC security groups to limit TCP and UDP access from all IPs.
| Rule | VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description:
The VPC security groups should enforce restrictions on ingress TCP and UDP access from the IP range 0.0.0.0/0 in accordance with the NIST Cybersecurity Framework (CSF) version 1. This rule aims to enhance the security of the Virtual Private Cloud (VPC) by minimizing the potential attack surface and mitigating the risk of unauthorized access.
Troubleshooting Steps:
If there are any issues with implementing or enforcing this rule, follow these troubleshooting steps:
- 1.Verify Security Group Rules: Check the existing rules of the VPC security groups to ensure that ingress TCP and UDP access from 0.0.0.0/0 is appropriately restricted.
- 2.Check Port Configurations: Ensure that only necessary ports are open and accessible for legitimate traffic. Review the port configurations against the approved NIST CSF guidelines.
- 3.Enforce Source IP Restrictions: If needed, modify the security group rules to restrict access to specific source IP addresses or IP ranges based on the approved requirements of your organization.
Necessary Codes:
If any code snippet is required for compliance with this rule, refer to the following examples:
- AWS CLI Command:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --cidr 0.0.0.0/0 --region <aws-region>
Replace
<security-group-id><port-number><aws-region>- Terraform Configuration:
resource "aws_security_group_rule" "<rule-name>" {
security_group_id = aws_security_group.<security-group-resource>.id
type = "ingress"
protocol = "tcp"
from_port = <port-number>
to_port = <port-number>
cidr_blocks = ["0.0.0.0/0"]
}
Replace
<rule-name><security-group-resource><port-number>Note: Make sure to adapt the above code snippets based on your specific requirements and preferred infrastructure provisioning tool.
Steps for Remediation:
To remediate this rule and enforce ingress TCP and UDP access restrictions from 0.0.0.0/0 in VPC security groups, follow the step-by-step guide below:
- 1.
Identify the relevant VPC security group: Determine the security group that requires modification to apply the ingress access restrictions.
- 2.
Update security group rules:
- Access your chosen cloud platform's management console or use the appropriate command-line tool (e.g., AWS CLI, Azure CLI, etc.).
- Locate the VPC security groups section and navigate to the specific security group identified in step 1.
- Edit the inbound rules for the security group, removing any existing rules allowing ingress TCP and UDP access from 0.0.0.0/0.
- Add new inbound rules to allow access only from the required IP addresses or IP ranges, based on the NIST CSF guidelines you need to follow.
- Save and apply the changes.
- 3.
Verify the changes:
- Ensure that the security group now enforces ingress access restrictions based on the updated rules.
- Test the connectivity from appropriate IP addresses to verify that the necessary access is still allowed while blocking access from unauthorized sources.
- 4.
Document and communicate:
- Update the documentation to reflect the changes made to the security group rules.
- Communicate the changes to the relevant stakeholders or team members impacted by this modification.
Final Note:
Maintaining strong security practices within the VPC is crucial for protecting your infrastructure from potential threats. By adhering to the NIST CSF guidelines and implementing necessary ingress TCP and UDP access restrictions, you can bolster the security of your VPC environment.