Rule: VPC Security Groups Should Restrict Ingress SSH Access from 0.0.0.0/0
This rule focuses on restricting SSH access in VPC security groups to enhance security measures.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
Rule Overview
The Federal Financial Institutions Examination Council (FFIEC) guidelines require financial institutions to secure their cloud environments according to industry best practices. One critical aspect of this is ensuring that Virtual Private Cloud (VPC) security groups within Amazon Web Services (AWS) do not permit unrestricted ingress Secure Shell (SSH) access from any IP address (0.0.0.0/0), which would allow unauthorized access to the instances within the VPC, potentially compromising sensitive financial data.
Rule Details
- Objective: Restrict SSH access to EC2 instances to prevent unauthorized access.
- Compliance Requirement: FFIEC regulatory standards.
- Service Affected: AWS EC2, specifically VPC security groups.
- Remediation Impact: Reduced attack surface and enhanced security posture.
Troubleshooting SSH Access Issues
If legitimate SSH access is not functioning correctly after applying restrictions, you should consider the following steps:
Step 1: Verify Security Group Configuration
Ensure that the security group attached to the EC2 instance allows SSH traffic (port 22) from your specific IP address or range.
Step 2: Network Access Control List (NACL) Check
Confirm that the NACLs for the subnet allow inbound and outbound SSH traffic.
Step 3: Instance OS Firewall
Check the operating system's firewall settings to ensure that SSH access is permitted.
Step 4: Route Table and Internet Gateway
Verify the VPC's route table has a route to an Internet Gateway (IGW) if accessing from the internet.
Step 5: SSH Key Pair and Permissions
Ensure that the correct SSH key pair is being used and that the private key permissions are set correctly.
Remediation Steps with CLI Commands
For EC2 instances already running and accessible via SSH from anywhere, you will need to update the associated security group rules.
Step 1: Identify Security Group
First, find out which security groups are set to allow SSH access from anywhere.
aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?ToPort==`22` && contains(IpRanges[].CidrIp, `0.0.0.0/0`)]]'.GroupId
Step 2: Update Security Group Rules
For each security group ID returned in the previous step, revoke the ingress rule that allows traffic from 0.0.0.0/0.
aws ec2 revoke-security-group-ingress --group-id [SECURITY_GROUP_ID] --protocol tcp --port 22 --cidr 0.0.0.0/0
Replace
[SECURITY_GROUP_ID]Step 3: Restrict SSH to Trusted IPs
Next, you need to add a rule that allows SSH access from a trusted IP address or range.
aws ec2 authorize-security-group-ingress --group-id [SECURITY_GROUP_ID] --protocol tcp --port 22 --cidr [YOUR_IP_ADDRESS]/32
Replace
[SECURITY_GROUP_ID][YOUR_IP_ADDRESS]Step 4: Verify the Changes
Confirm that the security group rules have been successfully updated by listing the rules for the security group:
aws ec2 describe-security-groups --group-ids [SECURITY_GROUP_ID]
Conclusion
Following the steps and providing the necessary AWS CLI commands, financial institutions can comply with FFIEC security requirements regarding VPC security group settings. Regular audits and updates to the security groups can help maintain compliance and secure AWS resources.