Rule: VPC Security Groups Should Restrict Ingress SSH Access from 0.0.0.0/0
This rule focuses on restricting SSH access in VPC security groups from all IP addresses.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule/Policy Description
The VPC security groups should limit inbound SSH (Secure Shell) access from the IP range 0.0.0.0/0 within the context of the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 compliance framework. Restricting ingress SSH access helps to enhance security by allowing SSH connections only from trusted sources.
Troubleshooting Steps (if applicable)
If you encounter issues while implementing this rule, please follow the troubleshooting steps below:
- 1.
Check the VPC security groups: Ensure that the security groups associated with the desired VPC are correctly configured.
- 2.
Verify inbound rules: Double-check if the inbound rules for SSH permit access from the IP range 0.0.0.0/0.
- 3.
Validate network ACLs: Confirm that the network ACLs (Access Control Lists) associated with the VPC are not conflicting with the security group rules.
- 4.
Review VPC routing: Ensure that the VPC route tables and internet gateways are correctly set up to allow SSH traffic.
Necessary Codes (if applicable)
There are no specific codes required for this rule as it involves only the configuration of security group rules within the AWS Management Console or AWS CLI.
Step-by-Step Guide for Remediation
To enforce the restriction of ingress SSH access from the IP range 0.0.0.0/0 within your VPC security groups in compliance with FedRAMP Moderate Revision 4, follow the step-by-step guide below:
- 1.
Open the AWS Management Console and navigate to the Amazon VPC service.
- 2.
In the left-hand menu, select "Security Groups."
- 3.
Identify the security group(s) that need modification to restrict SSH access. Take note of the security group ID(s).
- 4.
Select the desired security group from the list.
- 5.
In the "Inbound Rules" section, locate the rule that allows SSH access. It will likely have a port range of 22 and a source of 0.0.0.0/0.
- 6.
Click the "Edit" button next to the rule.
- 7.
Modify the source IP range to the specific IP range(s) allowed for SSH access based on your requirements. Typically, this would be a range defined by your organization's network or specific trusted sources.
- 8.
Ensure that the SSH source IP range aligns with the restrictions mandated by FedRAMP Moderate Revision 4. This could be a specific IP or a CIDR range.
- 9.
Click "Save" or "Apply" to save the updated security group rule.
- 10.
Repeat the above steps for each security group that requires modification.
- 11.
Test SSH connectivity from an IP within the allowed range to confirm the restriction is functioning as intended.
By following these steps, you can successfully limit ingress SSH access from the IP range 0.0.0.0/0 within your VPC security groups to comply with FedRAMP Moderate Revision 4 while ensuring secure access to your infrastructure.