Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0

This rule ensures that VPC security groups restrict TCP and UDP access from all sources.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkCISA-cyber-essentials
Severity
High

VPC Security Group Rule for CISA Cyber Essentials

Rule Description

The VPC security group rule is aimed at ensuring that the ingress traffic for TCP and UDP protocols in the VPC security group is restricted and allows access only from specific IP ranges, rather than allowing access from any IP address (0.0.0.0/0). This rule is implemented to enhance the security posture of the VPC and complies with the CISA Cyber Essentials policy.

Troubleshooting Steps (if applicable)

  2. 1.
    Ensure that the VPC security group associated with the relevant resources is correctly configured.
  4. 2.
    Verify if the VPC security group contains an inbound rule that allows TCP and UDP traffic from IP range 0.0.0.0/0.
  6. 3.
    Check if there are any conflicting security group rules that override the intended restrictions.
  8. 4.
    Ensure that the configuration changes, if any, are properly applied and propagated across the relevant resources.

Necessary Code (if applicable)

If you are using cloud infrastructure as code, such as AWS CloudFormation or Terraform, below is an example code snippet to restrict ingress TCP and UDP access from 0.0.0.0/0:

resource "aws_security_group" "example" {
  # ... other configuration for the security group ...

  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["x.x.x.x/xx"] # Specify specific IP range(s) instead of 0.0.0.0/0
  }

  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "udp"
    cidr_blocks = ["x.x.x.x/xx"] # Specify specific IP range(s) instead of 0.0.0.0/0
  }

  # ... other configuration for the security group ...
}

Please replace 

"x.x.x.x/xx"
with the actual IP range(s) that need to be allowed.

Step-by-Step Guide for Remediation

  2. 1.
    Identify the VPC security group associated with the resources that need to adhere to the CISA Cyber Essentials policy.
  4. 2.
    Access the cloud management console for your cloud provider (e.g., AWS, Azure, GCP).
  6. 3.
    Navigate to the VPC security group configuration page.
  8. 4.
    Locate the security group that requires modification and select it for editing.
  10. 5.
    Identify the inbound rule that allows TCP and UDP traffic from 0.0.0.0/0.
  12. 6.
    Edit the rule and replace the IP range of 
    0.0.0.0/0
    with the desired specific IP range(s) based on the policy requirements.
  14. 7.
    Save the changes to the security group configuration.
  16. 8.
    Ensure that the updated security group is associated with the relevant resources, such as EC2 instances or load balancers.
  18. 9.
    Test the connectivity to the resources using the allowed IP range(s) to confirm that the restriction is in effect.
  20. 10.
    Monitor the security group and network traffic to ensure that the updated configuration is correctly enforced.

By following these steps, you can successfully implement the VPC security group rule to restrict ingress TCP and UDP access from 0.0.0.0/0 according to the CISA Cyber Essentials policy.

Is your System Free of Underlying Vulnerabilities?
Find Out Now