Ensure No Security Groups Allow Ingress Rule
This rule ensures that no security groups allow ingress from 0.0.0.0/0 to remote server administration ports.
| Rule | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports |
| Framework | cis_v140 |
| Severity | ✔ High |
Ensure No Security Groups Allow Ingress from 0.0.0.0/0 to Remote Server Administration Ports
Remote server administration ports, such as RDP (port 3389) and SSH (port 22), are commonly targeted by attackers. To reduce the risk of unauthorized access to your servers, it's a crucial security practice to prevent ingress traffic from the open internet (0.0.0.0/0) to these ports.
Rule Details
Security Groups in cloud environments like AWS are virtual firewalls that control inbound and outbound traffic to instances. Within the CIS (Center for Internet Security) benchmarks for cloud security, one of the recommendations (cis_v140) is to ensure that these security groups do not permit unrestricted access to administrative ports from the entire internet.
Ports of concern typically include:
- SSH (22)
- RDP (3389)
- Various database ports, e.g., MySQL (3306), PostgreSQL (5432)
Troubleshooting Steps
If a security group violates this rule by allowing ingress from 0.0.0.0/0 to remote administration ports, follow these steps:
1. Identify Security Groups with Open Ports
Using AWS CLI, you can list all security groups and their rules using the following command:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Ingress:IpPermissions}' --output json
Look for rules that have
FromPortIpRanges0.0.0.0/02. Analyze the Purpose of the Rule
Before making any changes, determine why the rule exists. It could be for a legitimate reason, though it may need to be scoped down.
3. Update or Delete the Rule
To Restrict IP Address Range
Change the IP range to a more limited scope, replacing
<SecurityGroupId><Port>aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port <Port> --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port <Port> --cidr <YourSpecificIPRange>
To Remove the Rule Entirely
aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port <Port> --cidr 0.0.0.0/0
Step by Step Guide for Remediation
- 1.
Identify Offending Security Groups: Run the AWS CLI command to describe security groups and find those with open administration ports.
- 2.
Assess the Configuration: Determine the purpose and need for the existing rule.
- 3.
Choose the Corrective Action:
- For specific trusted IPs: Replace
with trusted IP ranges.0.0.0.0/0 - To remove access: Revoke ingress from
.0.0.0.0/0
- 4.
Update the Security Group Rules:
- Use
to remove the inbound rule.aws ec2 revoke-security-group-ingress - Use
to add new rules if necessary.aws ec2 authorize-security-group-ingress
- 5.
Validate the Rule Change: Once the command is executed, confirm that the rule has been updated or removed accordingly.
- 6.
Document the Change: Keep a log of the change for security compliance.
- 7.
Monitor for Unintended Consequences: Ensure that services relying on these ports are still functioning with the updated security measures.
By following these steps and implementing more secure policies, organizations can significantly reduce their attack surface and protect their remote servers from unauthorized access.
SEO Friendly and Acceleration Tips
- 1.
Use Descriptive Subheadings: Effective use of subheadings helps with SEO by organizing content and making it appealing for search engines and readers.
- 2.
Incorporate Relevant Keywords: Identify and use keywords such as "CIS compliance", "AWS security group configuration", and "secure server administration" to improve search visibility.
- 3.
Create Quality Content: Information should be accurate and of high quality to encourage backlinks and shares, further improving SEO.
- 4.
Mobile Optimization: Since a significant portion of searches are done on mobile devices, ensure the content is mobile-friendly.
- 5.
Fast Loading Pages: Optimize for faster loading times, as page speed is a factor in search engine rankings.
By implementing these strategies in the creation and maintenance of web content, visibility in search engines can be improved, attracting more organic traffic.