Rule: VPC Security Groups Restrict Ingress Access on Common Ports
This rule ensures VPC security groups restrict ingress access on specific common ports to enhance security measures.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
VPC Security Groups Ingress Access Restriction Rule
Description
The rule requires that the ingress access to specific ports (20, 21, 22, 3306, 3389, and 4333) within your VPC security groups should be restricted to only allow connections from a specific IP range (0.0.0.0/0). This rule is enforced to comply with the guidelines set forth by GxP 21 CFR Part 11, which ensures the integrity and confidentiality of electronic records and signatures.
Troubleshooting Steps
In case of issues, the following troubleshooting steps can be taken:
- 1.Confirm the VPC security group associated with the affected instances.
- 2.Ensure that the security group rules are correctly configured to restrict the ingress access on the specified ports.
- 3.Verify the IP range (
) is accurately defined for the allowed ingress traffic.0.0.0.0/0 - 4.Check if any conflicting security group rules are present, overriding the intended restrictions.
- 5.Make sure the associated instances are reachable and operational.
- 6.Inspect the network ACLs (if applicable) to ensure they do not conflict with the security group rules.
Necessary Code
No code is required for this rule, as it relies on configuring the security group rules within the AWS console or using AWS CLI commands.
Remediation Steps
To remediate the non-compliance with the VPC security group ingress access restriction rule, follow these steps:
- 1.
Open the AWS Management Console or connect to the AWS CLI.
- 2.
Navigate to the EC2 service.
- 3.
Select "Security Groups" from the left-hand menu.
- 4.
Locate the appropriate security group associated with the instances that need to be updated.
- 5.
Select the security group and click on "Inbound Rules" or "Inbound" tab.
- 6.
Identify any existing insecure inbound rules that allow unrestricted access (0.0.0.0/0) on ports 20, 21, 22, 3306, 3389, and 4333.
- 7.
Remove the existing rules that allow unrestricted access (0.0.0.0/0) on the specified ports.
- 8.
Click on the "Add rule" button to create new inbound rules and restrict access as necessary.
- 9.
For each required port (20, 21, 22, 3306, 3389, and 4333), add a new rule with the following details:
- Type: Select the appropriate protocol for the port (e.g., TCP, UDP).
- Port Range: Specify the single port number (e.g., 22) or a range (e.g., 3306-3389) for each required port.
- Source: Define the allowed source IP range in CIDR notation (e.g.,
for a specific IP address or0.0.0.0/32
for all IP addresses).0.0.0.0/0
- 10.
Repeat step 9 for each required port mentioned in the policy.
- 11.
Review the new inbound rules to ensure they match the intended restrictions.
- 12.
Click on the "Save" or "Apply" button to persist the changes.
The VPC security group will now restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 only to the specified IP range (0.0.0.0/0), as required by the GxP 21 CFR Part 11 policy.