Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Restrict Ingress TCP and UDP Access

This rule ensures VPC security groups limit inbound TCP and UDP access to 0.0.0.0/0.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule Description

The rule requires that all security groups within a Virtual Private Cloud (VPC) restrict inbound TCP and UDP access from the IP range 0.0.0.0/0. This rule is applicable for systems that need to comply with the FedRAMP Moderate Revision 4 security standards.

Troubleshooting Steps

If this rule is not implemented correctly or is violated, it could result in unauthorized access to the systems within the VPC. To troubleshoot any issues related to this rule, follow these steps:

  1. 1.

    Verify the security group rules: Check the inbound rules of the security groups within the VPC to ensure that TCP and UDP access from 0.0.0.0/0 is not allowed.

  2. 2.

    Check for any conflicting rules: Ensure that there are no conflicting rules that allow access from unintended IP ranges or ports.

  3. 3.

    Review Network Access Control Lists (NACLs): NACLs can also impact inbound access, so review NACL rules to verify that they align with the security group rules.

  4. 4.

    Check routing configurations: Incorrect routing configurations could bypass security groups, allowing unrestricted access. Validate the routing tables to ensure they are properly configured.

  5. 5.

    Review IAM permissions: Verify that there are no inadvertently applied IAM permissions that grant wider access than intended.

Necessary Codes

To comply with this rule, you may need to modify the security group rules in your VPC.

Here is an example of how to add a rule using the AWS Command Line Interface (CLI):

aws ec2 authorize-security-group-ingress \
    --group-id <security_group_id> \
    --protocol tcp \
    --port <port_number> \
    --cidr 0.0.0.0/0

Replace

<security_group_id>
with the actual ID of the security group in your VPC and
<port_number>
with the desired port number. Repeat this command for each TCP and UDP port that needs to be restricted.

Remediation Steps

Follow these step-by-step instructions to remediate the rule and ensure that the VPC security groups restrict ingress TCP and UDP access from 0.0.0.0/0:

  1. 1.

    Identify the relevant security group: Determine the security group(s) where the ingress rules need to be modified. Note down the security group ID(s).

  2. 2.

    Access the AWS Management Console: Open the AWS Management Console and navigate to the EC2 service.

  3. 3.

    Locate the relevant security group: Find the security group(s) with the identified ID(s) in the VPC dashboard.

  4. 4.

    Modify inbound rules: Select the security group and click on the "Inbound Rules" or "Inbound" tab.

  5. 5.

    Update the rules: Remove any existing rules that allow ingress TCP and UDP access from 0.0.0.0/0. Add new rules to explicitly allow access only from the desired IP ranges and ports.

  6. 6.

    Save the changes: Click on the "Save" or "Apply Changes" button to save the updated security group configuration.

  7. 7.

    Verify the changes: Review the updated inbound rules to ensure that they now comply with the requirement to restrict access from 0.0.0.0/0.

  8. 8.

    Repeat for other security groups: If multiple security groups are affected, repeat steps 4-7 for each one.

By following these steps, you can successfully remediate the VPC security groups to adhere to the rule of restricting ingress TCP and UDP access from 0.0.0.0/0 for FedRAMP Moderate Revision 4.

Is your System Free of Underlying Vulnerabilities?
Find Out Now