Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress Access on Common Ports

This rule ensures VPC security groups restrict ingress access on specified common ports to enhance security.

RuleVPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
FrameworkFedRAMP Low Revision 4
Severity
High

Rule Description: VPC Security Group Ingress Access Restriction for FedRAMP Low Revision 4

This rule is designed to ensure that the ingress access to certain ports in the VPC security groups is restricted to specific IP ranges for systems compliant with the FedRAMP Low Revision 4 security requirements. The rule mandates that ports 20, 21, 22, 3306, 3389, and 4333 should not allow inbound traffic from the entire internet (0.0.0.0/0), thereby safeguarding the VPC from unauthorized access.

Troubleshooting Steps:

If you encounter any issues while implementing this rule, here are some troubleshooting steps to help resolve them:

  2. 1.

    Verify Security Group Rules: Check if the VPC security group associated with the affected resources have the specified ports (20, 21, 22, 3306, 3389, and 4333) configured for ingress access restrictions.

  4. 2.

    Check IP Range: Ensure that the IP range specified for ingress access restriction is set to "0.0.0.0/0." This IP range restricts access to the specified ports from all IP addresses.

  6. 3.

    Verify Rule Priority: Confirm that the rule enforcing the ingress access restriction has a higher priority compared to other rules allowing unrestricted access. The rule with the higher priority takes precedence in security group rules evaluation.

  8. 4.

    Security Group Associations: Verify that the affected resources (instances, load balancers, etc.) are associated with the correct security group that has the necessary ingress access rules configured.

Necessary Codes:

If you are using Infrastructure as Code (IaC) tools like AWS CloudFormation or Terraform, you can use the following code snippet to enforce the ingress access restriction on the specified ports:

AWS CloudFormation:

Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: My Security Group
      VpcId: YourVpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 20
          ToPort: 21
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 4333
          ToPort: 4333
          CidrIp: 0.0.0.0/0

Terraform:

resource "aws_security_group" "my_security_group" {
  vpc_id      = "YourVpcId"
  name        = "MySecurityGroup"
  
  ingress {
    from_port   = 20
    to_port     = 21
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  ingress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  ingress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  ingress {
    from_port   = 4333
    to_port     = 4333
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Remediation Steps:

To implement the ingress access restriction for the specified ports (20, 21, 22, 3306, 3389, and 4333), follow the step-by-step guide below:

  2. 1.

    Identify the VPC and security group associated with the resources (instances, load balancers, etc.) you want to restrict ingress access to.

  4. 2.

    Access the AWS Management Console and navigate to the EC2 Dashboard.

  6. 3.

    In the left-hand menu, click on "Security Groups."

  8. 4.

    Locate the security group linked to your resources and select it.

  10. 5.

    Click on the "Inbound Rules" or "Ingress" tab to view the existing inbound traffic rules.

  12. 6.

    Delete any existing ingress rules that permit unrestricted access to the specified ports (20, 21, 22, 3306, 3389, and 4333) from 0.0.0.0/0.

  14. 7.

    Add new ingress rules that allow access only from specific IP ranges that comply with the FedRAMP Low Revision 4 requirements:

    • Protocol: TCP

    • Port Range: 20-21

    • Source IP: 0.0.0.0/0

    • Protocol: TCP

    • Port Range: 22

    • Source IP: 0.0.0.0/0

    • Protocol: TCP

    • Port Range: 3306

    • Source IP: 0.0.0.0/0

    • Protocol: TCP

    • Port Range: 3389

    • Source IP: 0.0.0.0/0

    • Protocol: TCP

    • Port Range: 4333

    • Source IP: 0.0.0.0/0

  16. 8.

    Save the changes to the security group configuration.

  18. 9.

    Ensure that your resources are associated with the updated security group.

By following the above steps, you have successfully enforced the ingress access restriction on ports 20, 21, 22, 3306, 3389, and 4333 for the specified IP range (0.0.0.0/0) to comply with the FedRAMP Low Revision 4 security requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now