Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0
This rule focuses on restricting TCP and UDP access in VPC security groups from a wide IP range.
| Rule | VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
VPC security groups for FedRAMP Low Revision 4 should restrict ingress TCP and UDP access from the IP range 0.0.0.0/0. This rule aims to enforce a more secure networking environment by limiting access only to the required IP addresses or ranges.
Troubleshooting Steps:
- 1.Check the existing inbound rules of the VPC security group.
- 2.Identify if there are any TCP or UDP rules allowing access from 0.0.0.0/0.
- 3.Determine if the security group is associated with the correct VPC and the desired resources.
- 4.Verify if there are any existing outbound rules that may interfere with the desired ingress restriction.
- 5.Confirm that the security group has the necessary permissions and is correctly applied to the resources it is intended to protect.
Necessary Codes:
Amazon Web Services (AWS) provides a CLI (Command Line Interface) that can be used to manage security groups. Below are the necessary commands to configure the desired ingress restriction:
- 1.To modify an existing security group:
aws ec2 modify-security-group-rules --group-id <security-group-id> --ingress <ingress-rules>
Replace
<security-group-id><ingress-rules>- 1.To add a new ingress rule with restricted TCP access:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --source-security-group <security-group-id> --source-security-group-owner-id <owner-id>
Replace
<security-group-id><port-number><security-group-id><owner-id>- 1.To add a new ingress rule with restricted UDP access:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol udp --port <port-number> --source-security-group <security-group-id> --source-security-group-owner-id <owner-id>
Replace the placeholders as mentioned in the previous command.
Step-by-Step Guide for Remediation:
- 1.Identify the appropriate VPC security group that requires ingress restriction.
- 2.Ensure you have the necessary access rights to modify the security group.
- 3.Open the AWS CLI or any terminal that has the AWS CLI configured.
- 4.Retrieve the security group ID using the following command:
aws ec2 describe-security-groups --query 'SecurityGroups[?GroupName==`<security-group-name>`].GroupId' --output text
Replace
<security-group-name>- 1.Check if any existing inbound rules allow TCP or UDP access from 0.0.0.0/0 using the following command:
aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[].IpPermissions[? (ToPort <= `<port-number>` && FromPort >= `<port-number>` && (IpRanges[? (CidrIp == `0.0.0.0/0`)] || Ipv6Ranges[? (CidrIpv6 == `::/0`)] || PrefixListIds[? (PrefixListId == `pl-xxxxxxxx`)]))]'
Replace
<security-group-id><port-number>- 1.If any rules are found, use the appropriate commands mentioned above to modify the security group by either removing the existing rules or adding new ones with restricted access.
Remember to replace the required placeholders with the actual values to ensure correct execution.
- 1.Verify the changes made by rechecking the security group's inbound rules.
By following these steps and using the provided commands, you can successfully restrict ingress TCP and UDP access from 0.0.0.0/0 for the specified VPC security group, ensuring compliance with FedRAMP Low Revision 4 requirements.