Rule: VPC Security Groups Restrict Ingress SSH Access
This rule enforces restrictions on SSH access in VPC security groups.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | AWS Audit Manager Control Tower Guardrails |
| Severity | ✔ High |
VPC Security Groups: Restrict Ingress SSH Access
When you manage cloud infrastructure, especially on AWS, it's essential to ensure the best security practices are followed to protect your resources. One such best practice is to limit SSH access to your instances. The AWS Audit Manager Control Tower Guardrails recommend that VPC security groups should restrict ingress SSH access from '0.0.0.0/0', which represents allowing SSH access from any IP address on the internet. This can lead to serious security risks, making your system vulnerable to brute force attacks and other malicious activities.
Understanding the Rule
Security Groups in AWS act as a virtual firewall for your EC2 instances to control inbound and outbound traffic. By default, there should not be unrestricted ingress access (0.0.0.0/0) to port 22, the port used for SSH communication, as it increases the possibility of unauthorized access.
Troubleshooting Steps
To verify whether you have any security groups with inbound rules allowing SSH access from '0.0.0.0/0', follow these steps:
- 1.Log in to AWS Management Console.
- 2.Navigate to the EC2 Dashboard.
- 3.On the left panel, click on 'Security Groups'.
- 4.Search through security groups for any rules that allow SSH (22/TCP) from '0.0.0.0/0'.
If you find any security group with such rules, plan to restrict the access.
Remediation Steps
To update the security group rules, you can use the AWS Management Console or AWS CLI (Command Line Interface):
Using AWS Management Console
- 1.Log in to AWS Console.
- 2.Go to the EC2 Dashboard.
- 3.Click 'Security Groups' and select the group with the open SSH rule.
- 4.Click on the
tab.Inbound rules - 5.Find the rule allowing SSH access from '0.0.0.0/0'.
- 6.Click on the 'Edit inbound rules' button.
- 7.Change the 'Source' to your IP (if you need direct access), or better yet, a VPN or jumpbox IP.
- 8.Save the rules.
Using AWS CLI
- 1.Identify the security group ID with the rule you want to change.
aws ec2 describe-security-groups --query "SecurityGroups[?contains(IpPermissions[].IpRanges[].CidrIp, `0.0.0.0/0`)].[GroupId]"
- 1.Revoke the existing SSH ingress rule.
aws ec2 revoke-security-group-ingress --group-id YOUR_SECURITY_GROUP_ID --protocol tcp --port 22 --cidr 0.0.0.0/0
- 1.Authorize a new SSH ingress rule for a specific IP or range.
aws ec2 authorize-security-group-ingress --group-id YOUR_SECURITY_GROUP_ID --protocol tcp --port 22 --cidr YOUR_IP_ADDRESS/32
Ensure you replace
YOUR_SECURITY_GROUP_IDYOUR_IP_ADDRESS/32SEO-friendly Aspects
- Clear and accurate descriptions ensure relevance
- Step-by-step format enhances readability and user experience
- Sharing troubleshooting and remediation code snippets adds value
- Targeting keywords like "VPC security groups", "AWS Audit Manager", "Control Tower Guardrails", "restrict SSH access"
Note
Always test changes in a controlled environment before applying them to production. It is also a good practice to log such changes for auditing purposes. You should also review your VPC security group configurations regularly and update them according to the changes in your access requirements.