Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Restrict Ingress Access on Common Ports

This rule ensures VPC security groups restrict access on specific common ports from all sources.

Rule	VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
Framework	AWS Audit Manager Control Tower Guardrails
Severity	✔ High

VPC Security Groups: Restrict Ingress Access

Amazon Web Services (AWS) security groups act as a virtual firewall for EC2 instances to control inbound and outbound traffic. To enhance security, certain ports should not be exposed to the worldwide internet, represented by the CIDR block

0.0.0.0/0

. This guide details steps to restrict ingress access on vulnerable ports within a VPC security group, as required by AWS Audit Manager Control Tower Guardrails.

Description of the Rule

Security groups in AWS VPC should have restrictions to prevent unrestricted access to specific ports that are commonly targeted for exploitation:

Port 20 (FTP data transfer)
Port 21 (FTP command control)
Port 22 (SSH access)
Port 3306 (MySQL database access)
Port 3389 (RDP for Windows instances)
Port 4333 (commonly used for HTTPS, although the standard port is 443)

Ingress traffic coming from

0.0.0.0/0

to these ports should be prohibited to prevent unauthorized access, data breaches, or other security incidents.

Troubleshooting Steps

If you suspect that your security groups are misconfigured, follow these steps:

Review Security Group Rules

1.
Log in to the AWS Management Console.

2.
Navigate to the EC2 service.

3.
In the sidebar, click on "Security Groups."

4.
Select the security group to review its rules.

Assess Ingress Rules

1.
In the "Inbound rules" tab, look for rules that have the following:
- Port(s): 20, 21, 22, 3306, 3389, 4333
- Source:
  0.0.0.0/0

2.
Document any security groups with such rules as they need remediation.

Remediation Steps

To change the ingress rules, you can use either the AWS Management Console or the AWS CLI.

Using the AWS Management Console

1.
Navigate to the "Inbound rules" of the security group.

2.
Find rules that match the above criteria.

3.
Click "Edit rules" to modify them.

4.
Change the source IP to a specific IP range or delete the rule if unnecessary.

5.
Save the changes.

Using the AWS CLI

For each port that needs to be restricted, the following commands can be used to revoke the problematic rule:

aws ec2 revoke-security-group-ingress --group-id sg-xxxxxx --protocol tcp --port <PORT_NUMBER> --cidr 0.0.0.0/0

Replace

sg-xxxxxx

with the security group ID and

<PORT_NUMBER>

with the actual port that needs to be restricted.

Repeat this command for ports 20, 21, 22, 3306, 3389, and 4333.

Verification Step

Once you have updated your rules, verify the changes:

1.
Run the following command to describe the security group rules:

aws ec2 describe-security-groups --group-ids sg-xxxxxx

1.
Confirm no ingress rules allow traffic from
```
0.0.0.0/0
```
to the specified ports.

By following this detailed guide and ensuring that VPC security groups restrict ingress access on vulnerable ports from the open internet, you can significantly improve the security posture of your AWS environment, complying with Control Tower Guardrails and best security practices.

Rule: VPC Security Groups Restrict Ingress Access on Common Ports

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description of the Rule

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Review Security Group Rules

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Assess Ingress Rules

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Using the AWS Management Console

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Using the AWS CLI

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Verification Step

Is your System Free of Underlying Vulnerabilities? Find Out Now