Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0
This rule ensures that VPC security groups restrict ingress TCP and UDP access from 0.0.0.0/0.
| Rule | VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
VPC Security Group Rule: Restrict Ingress TCP and UDP Access from 0.0.0.0/0 for CISA Cyber Essentials
Description
This rule aims to ensure that the ingress (incoming) TCP and UDP traffic in your VPC's security groups is appropriately restricted, specifically for compliance with the CISA Cyber Essentials framework. By limiting access from the 0.0.0.0/0 IP range (also known as "anywhere") for TCP and UDP protocols, you are implementing a measure to mitigate potential security risks and unauthorized access to your VPC resources.
This rule aligns with best practices for network security and helps safeguard sensitive data and resources hosted within your VPC.
Possible Issues
- 1.Ingress Allow Rules: Security groups may have ingress rules that allow unrestricted TCP and UDP access from the 0.0.0.0/0 IP range.
- 2.Incorrect Protocol Restrictions: Security groups may restrict access for other protocols but fail to explicitly limit TCP and UDP traffic.
Troubleshooting Steps
- 1.Identify the VPC security groups that require modification.
- 2.Check for any existing inbound rules that allow TCP and UDP access from the 0.0.0.0/0 IP range.
- 3.Validate whether the security group rules match the requirements set by the CISA Cyber Essentials guidelines.
- 4.Modify the security group rules to limit ingress access for TCP and UDP protocols from the 0.0.0.0/0 IP range.
Necessary Code
The necessary code snippet provides an example of how to modify the ingress rules using the AWS Command Line Interface (CLI). Modify the template as per your specific requirements.
# AWS CLI command to modify the security group ingress rule aws ec2 authorize-security-group-ingress --group-id <security_group_id> --protocol tcp --port <port_number> --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <security_group_id> --protocol udp --port <port_number> --cidr 0.0.0.0/0
Ensure you replace
<security_group_id><port_number>Step-by-Step Guide for Remediation
- 1.Log in to the AWS Management Console.
- 2.Navigate to the EC2 dashboard.
- 3.Click on "Security Groups" in the sidebar.
- 4.Identify the security group(s) associated with your VPC that require modifications.
- 5.Select the security group that needs updating by clicking on its name.
- 6.In the "Inbound Rules" tab, review the existing rules and identify any TCP or UDP ingress rules with a source CIDR of
.0.0.0.0/0 - 7.For each rule identified in step 6, click on the "Edit" button to modify it.
- 8.Choose the TCP or UDP option, specify the relevant port number, and change the source to a more specific CIDR (e.g., a trusted IP range or specific IP addresses) as recommended by the CISA Cyber Essentials framework.
- 9.Click "Save" to apply the changes.
- 10.Repeat steps 7-9 for each TCP and UDP rule that allows access from
.0.0.0.0/0
Note: Remember to prioritize access to the necessary ports and IP ranges as required by your applications.