Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0

This rule ensures that VPC security groups restrict TCP and UDP access from 0.0.0.0/0 for enhanced security.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule Description:

According to the FedRAMP Moderate Revision 4 guidelines, VPC security groups should restrict ingress TCP and UDP access from the IP range 0.0.0.0/0. This ensures that all incoming traffic to the VPC is limited to specific ports and protocols and helps to enhance the overall security posture of the VPC.

Troubleshooting Steps (if any):

If the VPC security group is not correctly configured to restrict ingress TCP and UDP access from 0.0.0.0/0, you may encounter connectivity issues or unauthorized access attempts. To troubleshoot this, follow the steps below:

  1. 1.
    Check the inbound rules of the VPC security group.
  2. 2.
    Verify if there are any TCP or UDP rules allowing access from 0.0.0.0/0.
  3. 3.
    Ensure that the rules only allow access on specific ports and protocols as required.
  4. 4.
    If incorrect or unnecessary rules are found, remove them and add the appropriate rules.

Necessary Codes (if any):

To implement the necessary rule, you can use the AWS Command Line Interface (CLI) or the AWS Management Console.

AWS CLI Command:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-range> --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol udp --port <port-range> --cidr 0.0.0.0/0

Replace

<security-group-id>
with the actual ID of the VPC security group and
<port-range>
with the required port range.

Step-by-Step Guide for Remediation:

To ensure that VPC security groups restrict ingress TCP and UDP access from 0.0.0.0/0 according to the FedRAMP Moderate Revision 4 guidelines, follow the step-by-step guide below:

  1. 1.
    Open the AWS Management Console and navigate to the Amazon VPC service.
  2. 2.
    Click on "Security Groups" in the left sidebar.
  3. 3.
    Identify the desired VPC security group from the list and click on it.
  4. 4.
    In the "Inbound Rules" or "Inbound" section, review the existing rules.
  5. 5.
    Identify any TCP or UDP rules that allow access from 0.0.0.0/0.
  6. 6.
    If unnecessary or incorrect rules are found, select them and click on the "Remove" or "Delete" button.
  7. 7.
    Click on the "Add Rule" or "Add Inbound Rule" button.
  8. 8.
    Select the protocol (TCP or UDP) and enter the desired port range.
  9. 9.
    In the "Source" or "Source IP" field, enter "0.0.0.0/0" to allow access from any IP address.
  10. 10.
    Click on the "Save" or "Add Rule" button to apply the changes.
  11. 11.
    Repeat steps 7-10 for each required port or protocol that needs to be accessible from 0.0.0.0/0.

By following the above steps, you have successfully configured the VPC security group to restrict ingress TCP and UDP access from 0.0.0.0/0, aligning with the FedRAMP Moderate Revision 4 requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now