Rule: VPC Security Groups Should Restrict Ingress SSH Access from 0.0.0.0/0
This rule ensures VPC security groups limit SSH access from all sources to enhance security measures.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
Rule Description
This rule is a security requirement for VPC (Virtual Private Cloud) security groups in order to adhere to the FedRAMP (Federal Risk and Authorization Management Program) Moderate Revision 4 compliance. It stipulates that the ingress SSH (Secure Shell) access should be restricted only from specific IP addresses and not allow access from any source IP address (0.0.0.0/0) for enhanced security.
Troubleshooting Steps
If this rule is not being correctly enforced, it can pose a security risk by allowing unrestricted SSH access to the VPC. To troubleshoot and ensure compliance with this rule, follow these steps:
- 1.
Identify the affected VPC security group(s): Determine which VPC security group(s) are in violation of the rule.
- 2.
Assess the existing inbound SSH rules: Check the existing inbound rules within the identified security group(s) to determine if there are any open ingress SSH rules allowing access from 0.0.0.0/0.
- 3.
Validate IP address restrictions: Verify that the SSH access is only allowed from IP addresses that comply with FedRAMP Moderate Revision 4 requirements. Ensure that the IP addresses allowed for SSH ingress are documented and authorized.
- 4.
Update security group rules: Modify the security group rules to restrict SSH access to only the authorized IP addresses. Remove any rules allowing SSH access from 0.0.0.0/0.
- 5.
Test connectivity: Validate that the modified security group rules do not impact the intended SSH access from the authorized IP addresses.
- 6.
Repeat steps for all affected security groups: If there are multiple security groups violating the rule, repeat the above steps to update and verify the rules for each affected group.
Necessary Code
When remediation is required, you need to modify the security group ingress rules to restrict SSH access. Below is an example of how to achieve this using AWS CLI (Command Line Interface):
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp \ --port 22 \ --source-security-group <allowed-security-group-id>
Replace
<security-group-id><allowed-security-group-id>Step-by-Step Remediation Guide
Follow these steps to remediate the VPC security groups and enforce the rule for restricting SSH access from 0.0.0.0/0:
- 1.
Identify the affected security group(s) in your VPC.
- 2.
Access the AWS Management Console or use AWS CLI for management and configuration.
- 3.
Locate the security group(s) either by searching or navigating through the network services menu.
- 4.
Select the security group that needs remediation.
- 5.
Review the inbound rules of the selected security group to identify any existing SSH access from 0.0.0.0/0.
- 6.
Update the security group rules to restrict SSH access only to authorized IP addresses or ranges. Remove any rules allowing SSH access from 0.0.0.0/0.
- 7.
Save the changes made to the security group.
- 8.
Repeat steps 4-7 for any additional affected security groups.
- 9.
Test SSH connectivity from authorized IP addresses to ensure that the SSH access is not affected by the changes.
- 10.
Document the changes made and ensure proper communication with relevant stakeholders.
By following these steps, you can effectively enforce the rule for restricting ingress SSH access from 0.0.0.0/0 for FedRAMP Moderate Revision 4 compliance.