Rule: Security Groups for Authorized Ports
This rule ensures only authorized ports have unrestricted incoming traffic.
| Rule | Security groups should only allow unrestricted incoming traffic for authorized ports |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ High |
Rule Description
The rule ensures that security groups in AWS are configured to only allow unrestricted incoming traffic for authorized ports. This practice enhances the security of your AWS infrastructure by limiting the exposure of your resources to potential vulnerabilities.
Rule Remediation
- 1.Identify the security groups that allow unrestricted incoming traffic.
- 2.Review the authorized ports and update the security group rules to allow incoming traffic only for authorized ports.
- 3.Remove any unnecessary or unused rules to minimize potential attack vectors and reduce the risk of unintended access.
- 4.Test your resources to ensure that they are accessible only through the authorized ports.
Troubleshooting Steps
1. Identify Security Groups Allowing Unrestricted Incoming Traffic
- 1.Log in to the AWS Management Console.
- 2.Open the Amazon EC2 service.
- 3.Navigate to the "Security Groups" page.
2. Review Authorized Ports
- 1.Identify the security groups that allow unrestricted incoming traffic.
- 2.Review the associated rules and identify the authorized ports.
- 3.Ensure that these authorized ports align with your application requirements and security policies.
3. Update Security Group Rules
- 1.Select the security group that allows unrestricted incoming traffic.
- 2.Click on the "Inbound Rules" tab.
- 3.Identify the specific rules that need to be modified.
- 4.Click on the "Edit" button for the rule that needs to be updated.
- 5.Modify the rule to allow incoming traffic only for authorized ports.
- 6.Save the changes.
4. Remove Unnecessary Rules
- 1.Identify any unnecessary or unused rules in the security group.
- 2.Select the rule that needs to be removed.
- 3.Click on the "Delete" button to remove the rule.
- 4.Confirm the deletion when prompted.
5. Test Resource Accessibility
- 1.Ensure that your resources are accessible only through the authorized ports.
- 2.Test the accessibility of the resources from the public internet.
- 3.Verify that the resources are not accessible through unauthorized ports.
Example CLI Command
The following AWS CLI command can be used to modify a security group rule and allow incoming traffic for an authorized port:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port> --cidr <allowed-cidr-block>
Replace
<security-group-id><protocol><port><allowed-cidr-block>Note: Make sure you have the necessary permissions to modify security group rules.
Conclusion
Following the AWS Foundational Security Best Practice of allowing unrestricted incoming traffic only for authorized ports helps in strengthening the security posture of your AWS infrastructure. By ensuring that security groups are properly configured, you can reduce the risk of unauthorized access and potential security breaches. Regularly reviewing and updating security group rules is essential to maintain a secure environment.