Rule: VPC Security Groups Should Restrict Ingress SSH Access from 0.0.0.0/0
A rule to ensure VPC security groups restrict SSH access from all source IPs.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule: VPC Security Groups Should Restrict Ingress SSH Access
Description
To comply with FedRAMP Low Revision 4 requirements, Amazon Virtual Private Cloud (VPC) security groups must restrict Secure Shell (SSH) ingress access to prevent unrestricted access from the internet (0.0.0.0/0). Security groups act as a virtual firewall for your instances to control inbound and outbound traffic. Restricting SSH access to known IP addresses reduces the potential attack surface for brute force attacks, SSH vulnerabilities, and other exploits.
Troubleshooting Steps
If a security group is improperly configured to allow SSH access from any IP address, the following troubleshooting steps can help identify and resolve the issue:
- 1.
Identify Security Groups with Open SSH Access:
- Use the AWS Management Console, CLI, or API to list security groups and their rules.
- Check for the presence of rules that allow inbound SSH (port 22) access from 0.0.0.0/0.
- 2.
Review Security Group Associations:
- Ensure that the security group with the open rule is not associated with production EC2 instances or other critical resources.
- 3.
Modify or Remove Unsafe Rules:
- Modify the ingress rule to allow SSH access only from specific, trusted IP addresses.
- If the open access rule is not required, remove it from the security group entirely.
Remediation CLI Commands
Finding Security Groups with Open SSH Access
- 1.
List security groups that allow ingress from 0.0.0.0/0 on port 22:
aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].[GroupId,GroupName]' --output text
Modifying or Removing Insecure SSH Access
- 1.
Restrict SSH access to a specific IP address or range (replace
with the actual security group ID andYOUR-SG-ID
with the specific IP or CIDR range):YOUR-IP-ADDRESSaws ec2 revoke-security-group-ingress --group-id YOUR-SG-ID --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id YOUR-SG-ID --protocol tcp --port 22 --cidr YOUR-IP-ADDRESS
Alternatively, if using a network access control list (NACL) for additional security, ensure the NACLs similarly restrict SSH access from 0.0.0.0/0.
Step by Step Guide for Remediation
- 1.Log in to your AWS Management Console.
- 2.Navigate to the EC2 Dashboard.
- 3.Click on Security Groups in the left navigation pane.
- 4.Identify security groups with rules that allow SSH (port 22) access from 0.0.0.0/0.
- 5.Select the security group to modify.
- 6.In the Inbound rules tab, find the rule that has port 22 open to 0.0.0.0/0.
- 7.Edit the inbound rule to change the Source from 0.0.0.0/0 to a specific IP address or CIDR block that requires SSH access.
- 8.Save the changes.
Repeat these steps for each security group that has an SSH rule open to the world.
By following these comprehensive steps and using the provided commands judiciously, you will ensure that your VPC security groups align with FedRAMP Low Revision 4 standards, thereby maintaining a robust security posture. This precise and actionable information is intended to be helpful and SEO-friendly, attracting individuals interested in cloud security best practices.