Rule: VPC Security Groups Restrict Ingress Access on Common Ports
This rule ensures VPC security groups restrict ingress access on specific common ports to enhance network security.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
Rule Description:
The VPC security groups should restrict ingress access on specific ports from the IP range 0.0.0.0/0 for CISA Cyber Essentials compliance. This rule aims to ensure that only necessary and authorized traffic is allowed into the VPC.
Troubleshooting Steps:
- 1.Validate that the VPC security groups are properly configured.
- 2.Check if the desired ingress ports (20, 21, 22, 3306, 3389, 4333) are already restricted.
- 3.Verify that the IP range 0.0.0.0/0 is explicitly denied for the identified ingress ports.
- 4.Review the current rules in the security group to identify any misconfigured or unnecessary entries.
- 5.Confirm that the security groups are associated with the appropriate resources, such as EC2 instances or RDS database instances.
Necessary Code:
If existing rules in the security group need modification or new rules need to be added, the code examples below can be used as a reference.
# Example: Restrict ingress access on port 20 (FTP) from 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 20 --cidr 0.0.0.0/0 # Example: Restrict ingress access on port 21 (FTP) from 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr 0.0.0.0/0 # Example: Restrict ingress access on port 22 (SSH) from 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0 # Example: Restrict ingress access on port 3306 (MySQL) from 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3306 --cidr 0.0.0.0/0 # Example: Restrict ingress access on port 3389 (RDP) from 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0 # Example: Restrict ingress access on port 4333 from 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port 4333 --cidr 0.0.0.0/0
Remediation Steps:
Follow the step-by-step guide below to remediate the issue:
- 1.Identify the target VPC or the associated security group that needs to be modified.
- 2.Determine the security group ID for the identified security group.
- 3.Using the AWS CLI or management console, log in to your AWS account and navigate to the VPC or the security groups section, depending on the required changes.
- 4.Locate the security group that needs modification and select it.
- 5.Review the existing inbound rules to identify any misconfigured entries or open ports that violate the compliance requirement.
- 6.Remove any unnecessary or conflicting inbound rules that might allow ingress traffic on ports 20, 21, 22, 3306, 3389, or 4333 from the 0.0.0.0/0 IP range.
- 7.If any of the desired ports mentioned above are not already restricted, proceed to add the necessary rules to deny access from 0.0.0.0/0.
- 8.Test the access to verify that only authorized traffic is allowed through the configured ports.
- 9.Monitor the security group for any changes or anomalies to ensure ongoing compliance.
Note: It is recommended to perform these changes during a maintenance window or with proper precautionary measures to avoid any unintended disruption to your services.