Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Ingress Access Restriction

This rule focuses on restricting ingress access on common ports for VPC security groups.

RuleVPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule Description

This rule is designed to ensure that the ingress access on specific ports (20, 21, 22, 3306, 3389, 4333) for a VPC's security group is restricted to a specific source IP range (0.0.0.0/0). This rule is in compliance with the FedRAMP Moderate Revision 4 requirements for securing VPCs. By implementing this rule, the VPC's security is enhanced by only allowing incoming connections on these ports from the specified source IP range.

Troubleshooting Steps (if applicable)

  2. 1.

    Check the VPC's security group configuration to verify if the ingress access rule exists.

  4. 2.

    Ensure that the specified ports (20, 21, 22, 3306, 3389, 4333) are correctly defined in the ingress access rule.

  6. 3.

    Verify if the source IP range for the ingress access rule is set to 0.0.0.0/0.

  8. 4.

    Review any error messages or warnings generated by the VPC's security group.

Necessary Codes (if applicable)

There are no specific codes or scripts required for this rule.

Step-by-Step Guide for Remediation

  2. 1.

    Open the AWS Management Console and navigate to the VPC service.

  4. 2.

    Select the VPC for which you want to configure the security group.

  6. 3.

    In the left sidebar, click on "Security Groups."

  8. 4.

    Identify the security group that needs to be updated to enforce the ingress access rule.

  10. 5.

    Select the desired security group and click on "Inbound Rules."

  12. 6.

    Look for existing rules that allow access on ports 20, 21, 22, 3306, 3389, 4333.

  14. 7.

    If there are any existing rules allowing ingress access on these ports from 0.0.0.0/0, skip to step 10.

  16. 8.

    Click on "Edit inbound rules" to modify the existing rules.

  18. 9.

    Remove any rules that allow ingress access on ports 20, 21, 22, 3306, 3389, 4333 from different source IP ranges.

  20. 10.

    Click on "Add rule" to create the new ingress access rule.

  22. 11.

    Set the following values for the new rule:

    • Type: Custom TCP Rule
    • Protocol: TCP
    • Port Range: Specify each port individually (20, 21, 22, 3306, 3389, 4333)
    • Source: Custom IP - Specify 0.0.0.0/0
  24. 12.

    Click on "Save rules" to apply the changes.

  26. 13.

    Verify that the new ingress access rule is enforced correctly by reviewing the security group's inbound rules.

  28. 14.

    Test the connectivity to the VPC on ports 20, 21, 22, 3306, 3389, 4333 from a different source IP to ensure the rule is working as expected.

Additional Notes

  • The rule only applies to the specified ports (20, 21, 22, 3306, 3389, 4333). Other ports should be evaluated and configured separately if needed.
  • It is recommended to regularly review and audit the security group rules to ensure they align with the required policies and standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now