Cloud Defense Logo

Products

Solutions

Company

Rule for VPC Security Groups Ingress TCP and UDP Access Restriction

A detailed guideline regarding restriction of ingress TCP and UDP access in VPC security groups.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkFedRAMP Low Revision 4
Severity
High

Rule Description:

The VPC security groups for FedRAMP Low Revision 4 should have ingress (incoming) TCP and UDP access restrictions in place to prevent unrestricted access from any source IP address (0.0.0.0/0).

Troubleshooting Steps:

  1. 1.
    Check the existing security group settings for the VPC.
  2. 2.
    Identify any security groups that have ingress TCP and UDP access rules configured with the source IP range set to 0.0.0.0/0.
  3. 3.
    Verify whether the affected security groups are associated with the correct VPC and adhere to the required FedRAMP Low Revision 4 security standards.

Necessary Codes:

The following code snippet demonstrates an example of how to create a security group rule in AWS using the AWS Command Line Interface(CLI):

aws ec2 authorize-security-group-ingress --group-id <security_group_id> --protocol tcp --port <port_number> --source-cidr-ip 0.0.0.0/0

Replace

<security_group_id>
with the actual ID of the security group and
<port_number>
with the desired port number.

Step-by-Step Remediation Guide:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Go to the VPC dashboard.
  3. 3.
    Select the appropriate VPC that requires the security group rule modification for FedRAMP Low Revision 4 compliance.
  4. 4.
    Click on "Security Groups" in the left sidebar.
  5. 5.
    Identify the security group that needs to be modified.
  6. 6.
    Take note of the security group ID for future reference.
  7. 7.
    Open the AWS CLI or AWS CLI tools like AWS CLI version 2 or AWS PowerShell.
  8. 8.
    Run the AWS CLI command to add a restriction on a specific port using the "authorize-security-group-ingress" command as shown in the necessary code section:
aws ec2 authorize-security-group-ingress --group-id <security_group_id> --protocol tcp --port <port_number> --source-cidr-ip 0.0.0.0/0

Replace

<security_group_id>
with the actual security group ID noted earlier. Replace
<port_number>
with the desired port number to be restricted.

  1. 1.
    Repeat step 8 for any additional ports that need to be restricted.
  2. 2.
    Check the security group rules to ensure the changes have taken effect.
  3. 3.
    Verify the security group is now compliant with the FedRAMP Low Revision 4 requirements.

Note: It is essential to review and confirm the specific requirements of FedRAMP Low Revision 4 and tailor the security group rules accordingly.

Is your System Free of Underlying Vulnerabilities?
Find Out Now