Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress Access

This rule ensures that security groups restrict access on common ports from all sources.

RuleVPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
FrameworkHIPAA
Severity
High

Rule Description

This rule states that the security groups within the VPC should restrict the ingress access on specific ports (20, 21, 22, 3306, 3389, and 4333) from the IP range 0.0.0.0/0. This rule is applicable to ensure compliance with the HIPAA (Health Insurance Portability and Accountability Act) regulations, which aim to protect sensitive health information.

Troubleshooting Steps

If there are any issues related to the security group configuration, follow these troubleshooting steps:

  1. 1.
    Verify Security Group Rules: Check the existing rules within the security groups attached to the VPC.
  2. 2.
    Ingress Rule Presence: Ensure that there are rules present to restrict the ingress access on ports 20, 21, 22, 3306, 3389, and 4333.
  3. 3.
    IP Range: Confirm that the IP range 0.0.0.0/0 is specified for these ingress rules.
  4. 4.
    Rule Priority: Check the priority of the security group rules to ensure that the desired ingress restrictions are applied correctly.
  5. 5.
    Instances and Subnets: Verify that the security groups are associated with the correct instances and subnets within the VPC.

Necessary Codes

Here are the necessary codes to implement the ingress access restrictions within the VPC security groups:

Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: MySecurityGroup
      GroupDescription: Security group for HIPAA compliance
      VpcId: vpc-12345678
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 20
          ToPort: 20
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 21
          ToPort: 21
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 3306
          ToPort: 3306
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 4333
          ToPort: 4333
          CidrIp: 0.0.0.0/0

You can use the above CloudFormation (AWS CloudFormation) template code to create a security group that complies with the ingress access restrictions mentioned.

Step-by-Step Guide for Remediation

Follow these step-by-step instructions to remediate the ingress access to the specified ports from 0.0.0.0/0 within the VPC security groups:

  1. 1.
    Log in to the AWS Management Console.
  2. 2.
    Go to the EC2 dashboard.
  3. 3.
    Click on "Security Groups" in the left navigation menu.
  4. 4.
    Select the security group that needs to be modified.
  5. 5.
    Click on the "Inbound Rules" or "Inbound" tab, depending on the user interface version.
  6. 6.
    Click on "Edit inbound rules" or "Edit inbound" option.
  7. 7.
    Remove any existing rules that allow ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from 0.0.0.0/0, if present.
  8. 8.
    Click on "Add rule" or "Add inbound rule" option.
  9. 9.
    Select the "Type" as "Custom TCP Rule".
  10. 10.
    Enter the port number (20, 21, 22, 3306, 3389, or 4333) in the "Port Range" field.
  11. 11.
    Enter the IP range "0.0.0.0/0" in the "Source" or "Source IP" field.
  12. 12.
    Click on "Save" or "Add rule" to apply the ingress access restriction.
  13. 13.
    Repeat steps 8-12 for each individual port mentioned in the rule.
  14. 14.
    Verify that the ingress rules are updated as per the desired configuration by checking the security group details.
  15. 15.
    Associate the updated security group with the appropriate instances or subnets as required.

By following these steps, you can implement the necessary ingress access restrictions on specified ports within the VPC security groups for HIPAA compliance.

Is your System Free of Underlying Vulnerabilities?
Find Out Now