Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0
This rule ensures proper restrictions on ingress TCP and UDP access in VPC security groups.
| Rule | VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
VPC Security Groups: Restrict Ingress Access for FedRAMP Low Revision 4
Rule Overview
The Federal Risk and Authorization Management Program (FedRAMP) Low Impact Level, Revision 4, requires limiting unnecessary exposure of systems to the public internet. In the context of an AWS environment, this means that security groups attached to VPC resources should not allow unrestricted ingress TCP or UDP traffic from the IP range 0.0.0.0/0, which represents any possible IP address. Restrictions should be in place to limit access only to the necessary IP ranges or specific IP addresses.
Troubleshooting Steps
If a security group allows unrestricted access, it can be identified through a security audit or by checking the rules manually:
- 1.Sign in to your AWS Management Console.
- 2.Navigate to the EC2 Dashboard.
- 3.On the left-hand sidebar, click on 'Security Groups'.
- 4.Select the security group you want to review.
- 5.In the bottom panel, select the 'Inbound rules' tab to examine existing rules.
- 6.Look for rules with 'Source' set to '0.0.0.0/0' for TCP or UDP.
- 7.Take note of the security groups that require changes.
Remediation Steps
To rectify the unrestricted ingress access, follow these steps:
Step 1: Modify Security Group Rules
# Retrieve the ID of the security group aws ec2 describe-security-groups --query "SecurityGroups[?GroupName == 'YOUR_GROUP_NAME'].GroupId" --output text # Remove the rule allowing inbound access from 0.0.0.0/0 (replace sg-xxxxxx with your security group ID) aws ec2 revoke-security-group-ingress --group-id sg-xxxxxx --protocol tcp --port PORT --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id sg-xxxxxx --protocol udp --port PORT --cidr 0.0.0.0/0
Step 2: Apply New Rules
Define and apply new ingress rules to the security group with restricted access:
# Allow specific IP range or address (replace YOUR_IP_RANGE with the desired value and PORT with the specific port you want to open) aws ec2 authorize-security-group-ingress --group-id sg-xxxxxx --protocol tcp --port PORT --cidr YOUR_IP_RANGE aws ec2 authorize-security-group-ingress --group-id sg-xxxxxx --protocol udp --port PORT --cidr YOUR_IP_RANGE
Replace
YOUR_GROUP_NAMEsg-xxxxxxPORTYOUR_IP_RANGEStep 3: Review Security Group Configuration
After applying the new rules, verify them using the AWS Management Console or using the AWS CLI with this command:
aws ec2 describe-security-groups --group-ids sg-xxxxxx
Best Practices for Ingress Filtering
- Enable VPC Flow Logs to monitor the traffic and troubleshoot any connectivity issues due to the security group changes.
- Regularly audit security groups using AWS Config or custom Lambda functions to verify compliance with the FedRAMP requirements.
- Implement the principle of least privilege by only allowing necessary traffic and sources.
Adhering to FedRAMP Low Revision 4 requirements enhances your security posture and reduces the risk of cyber threats due to unrestricted access. Always evaluate changes within a test environment before applying to production systems to avoid unwanted service disruptions.