Rule: VPC security groups should restrict ingress SSH access from 0.0.0.0/0
This rule highlights the importance of restricting SSH access in VPC security groups from a broad IP range.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ High |
VPC Security Group Rule for GxP 21 CFR Part 11 Compliance
Rule Description
To comply with the GxP 21 CFR Part 11 regulations and ensure a secure environment, the VPC security groups in your network should restrict ingress SSH access from the IP range 0.0.0.0/0. This ensures that only authorized entities can establish SSH connections to instances within the VPC.
Troubleshooting Steps
If there are issues or difficulties related to this security group rule, consider the following troubleshooting steps:
- 1.Verify the security group configuration: Double-check that the security group has the necessary inbound rule to restrict SSH access from 0.0.0.0/0.
- 2.Check for any conflicting rules: Ensure that there are no other inbound rules that allow SSH access from different IP ranges or any conflicting security group rules that override this specific configuration.
- 3.Review the network ACL settings: Network Access Control Lists (ACLs) can also affect inbound traffic. Ensure that the relevant network ACLs allow SSH access from the specified IP range.
Necessary Code
In order to enforce the security group rule, the following code snippet can be used to create an appropriate ingress rule:
aws ec2 authorize-security-group-ingress --group-id [security-group-id] --protocol tcp --port 22 --source 0.0.0.0/0Replace [security-group-id] with the actual identifier of the target security group.
Step-by-Step Guide for Remediation
Follow these steps to enforce the security group rule and restrict SSH access from 0.0.0.0/0:
- 1.
Identify the Security Group: Determine the security group to which the ingress rule needs to be applied.
- 2.
Access the AWS Management Console: Log in to the AWS Management Console using your AWS credentials.
- 3.
Navigate to EC2: Open the EC2 service page by selecting it from the list of available services within the console.
- 4.
Select Security Groups: From the navigation menu on the left, select "Security Groups" under the "NETWORK & SECURITY" section.
- 5.
Identify the Target Security Group: Locate and select the appropriate security group that requires the SSH ingress rule modification.
- 6.
Modify Inbound Rules: On the "Inbound" tab of the security group details page, click on the "Edit inbound rules" button to modify the incoming traffic rules.
- 7.
Add Inbound Rule: Click on "Add rule" to create a new inbound rule.
- 8.
Configure Rule for SSH Access: Set the protocol as "TCP" and the port range as "22". For the source, enter "0.0.0.0/0" to restrict SSH access from any IP address.
- 9.
Save the Rule: Click on the "Save rules" button to save the changes and enforce the new ingress rule.
- 10.
Verification: Validate that the security group now has the required SSH ingress rule from 0.0.0.0/0.
By following these steps, you will ensure that SSH access to instances within the VPC is restricted from the specified IP range, as required by GxP 21 CFR Part 11 compliance.