Rule: VPC Security Groups should restrict Ingress access on common Ports
This rule ensures that VPC Security Groups restrict Ingress access on commonly used Ports.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
VPC Security Group: Ingress Access Restriction for FedRAMP Compliance
Overview
Under FedRAMP Low Revision 4 guidelines, it is required to limit ingress traffic to essential ports to enhance the security posture of your cloud environment. This rule stipulates restricting ingress access to ports 20 (FTP Data), 21 (FTP Control), 22 (SSH), 3306 (MySQL), 3389 (RDP), and 4333. These ports must not be accessible from the general internet (0.0.0.0/0), which would otherwise expose your infrastructure to unnecessary risk.
Remediation Steps
AWS Management Console
Step 1: Analyze Existing Security Groups
- 1.Sign in to the AWS Management Console.
- 2.Navigate to the VPC dashboard.
- 3.In the 'Security' section, select 'Security Groups'.
- 4.Identify and select the relevant security group to inspect.
Step 2: Modify Ingress Rules
- 1.In the details pane, click on the 'Inbound rules' tab.
- 2.Look for rules that have a source of 0.0.0.0/0 and ports such as 20, 21, 22, 3306, 3389, or 4333.
- 3.Click 'Edit inbound rules' to change the configuration.
Step 3: Update or Delete Rules
- 1.For each non-compliant rule:
- Change the source to a more restricted IP range, or
- Delete the rule if it is not necessary.
- 2.Click 'Save Rules' once all changes are made.
AWS CLI Commands
Analyzing Security Groups
aws ec2 describe-security-groups --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' --output text
Updating or Deleting Ingress Rules
- To revoke a particular ingress rule (e.g., for port 22):
aws ec2 revoke-security-group-ingress --group-id SG_ID --protocol tcp --port 22 --cidr 0.0.0.0/0
Replace
with your security group ID. Repeat for each port as needed.SG_IDTo add a more restricted rule:
aws ec2 authorize-security-group-ingress --group-id SG_ID --protocol tcp --port PORT --cidr RESTRICTED_IP_RANGE
- Replace
with the port number to restrict andPORT
with the new range.RESTRICTED_IP_RANGE
Troubleshooting
Issue: Rules Not Updating
- 1.Confirm that you have the correct permissions to modify security group rules.
- 2.Ensure that the group-id specified is the correct one for the security group.
Issue: Unable to Connect to Instances After Rule Modification
- 1.Verify that you haven't unintentionally blocked legitimate traffic.
- 2.Confirm that the new IP ranges include the necessary addresses for your application to function properly.
Verification
Following the remediation, perform these checks:
- 1.Re-inspect the security group rules to ensure that no rule allows ingress from 0.0.0.0/0 to the restricted ports.
- 2.Test the connectivity from various IP addresses to ensure that access is appropriately restricted.
By following these detailed steps, you can help ensure your VPC security groups are in compliance with FedRAMP Low Revision 4 ingress restrictions, thereby enhancing the security of your AWS environment. This guidance not only serves SEO purposes by providing relevant, concise, and actionable information, but also supports improved ranking by delivering a clear and precise solution to the intended audience, all without superfluous filler content.