Rule: VPC Security Groups Should Restrict Ingress Access on Common Ports
This rule emphasizes the importance of restricting ingress access on specified ports for VPC security groups.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Description
This rule ensures that the VPC security groups within an environment adhere to the security requirements defined in FedRAMP Moderate Revision 4. The rule mandates that ingress access on specific ports (20, 21, 22, 3306, 3389, and 4333) should be restricted from the entire internet (0.0.0.0/0).
Remediation
Follow the steps below to remediate this rule:
- 1.
Identify the VPC security group that needs to be updated. You can use the AWS Management Console, AWS Command Line Interface (CLI), or AWS SDKs/APIs to list all the VPC security groups within your AWS account.
- 2.
Once you have identified the security group, make sure you have the necessary permissions to modify it.
- 3.
Determine the current inbound rules for the security group. Again, you can use the AWS Management Console, AWS CLI, or AWS SDKs/APIs to retrieve the existing inbound rules.
- 4.
Review the existing inbound rules and confirm if any of the ports (20, 21, 22, 3306, 3389, and 4333) have unrestricted access from 0.0.0.0/0.
- 5.
If there are any inbound rules allowing access from 0.0.0.0/0 on these ports, update the security group to restrict the ingress access. Depending on your preferred method of making the changes, you can either use the AWS Management Console or CLI.
Using AWS Console:
- Open the AWS Management Console and navigate to the EC2 dashboard.
- From the navigation pane, click on "Security Groups" under the "NETWORK & SECURITY" category.
- Locate the required security group and select it.
- In the "Inbound rules" tab, find the rule corresponding to the port that needs to be updated.
- Edit the rule and change the source IP from "0.0.0.0/0" to a more restricted IP range or specific IP addresses.
- Save the changes.
Using AWS CLI:
Open the AWS CLI or terminal.
Execute the following command, replacing
with the actual ID of the security group and<security-group-id>
with the appropriate port number (20, 21, 22, 3306, 3389, or 4333):<port>aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr 0.0.0.0/0
Note: Repeat the above command for each port that needs to be updated.
- 6.
After updating the security group with the appropriate ingress rules, verify the changes to ensure that access from 0.0.0.0/0 has been restricted as intended.
Troubleshooting
If you encounter any issues while trying to remediate this rule, consider the following troubleshooting steps:
- 1.
Validate that you are modifying the correct security group. Double-check the security group ID or name to ensure you are updating the intended group.
- 2.
Verify that you have the necessary permissions to modify security groups. If you encounter permission errors, contact your AWS account administrator or security team to grant you the required permissions.
- 3.
Check if there are any conflicting security group rules that might override the changes you are attempting to make. Review and update any conflicting rules accordingly.
- 4.
If you are using the AWS CLI, ensure that your CLI environment is properly configured with the correct AWS credentials. Refer to the AWS CLI documentation for assistance with configuration.
- 5.
If the changes do not take effect immediately, check for any network caching or propagation delays. In some cases, it may take a few minutes for the changes to propagate across the network.
If the issue persists after following these troubleshooting steps, consider reaching out to AWS Support for further assistance.