Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure VPC Security Groups Restrict Ingress Access Rule

This rule ensures VPC security groups restrict ingress access on common ports from all sources.

RuleVPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
FrameworkNIST 800-171 Revision 2
Severity
High

Rule Description:

The VPC security groups should be configured to restrict the ingress (incoming) access on ports 20, 21, 22, 3306, 3389, and 4333 from the IP range 0.0.0.0/0 for compliance with the NIST 800-171 Revision 2 security standard.

Troubleshooting Steps:

  1. 1.

    Verify the existing security group rules:

    • Go to the AWS Management Console.
    • Navigate to the VPC service.
    • Select the appropriate VPC.
    • Click on "Security Groups" in the left sidebar.
    • Identify the security group associated with the affected resources.
    • Review the inbound rules to check if any open access from 0.0.0.0/0 on the specified ports is present.
  2. 2.

    Check if any necessary exceptions are required:

    • Determine if there are any specific requirements for allowing access on the mentioned ports from certain IP ranges or specific resources. Keep in mind that these exceptions should be kept to a minimum and follow the principle of least privilege.
  3. 3.

    Update the security group rules:

    • Modify the existing security group rules to restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from the IP range 0.0.0.0/0.
    • Remove any existing rules that allow unrestricted access on these ports.
    • Add explicit rules that allow access only from the required IP ranges or specific resources, if applicable.
  4. 4.

    Test the updated configuration:

    • Verify that the updated security group rules are now in effect.
    • Test the connectivity to the affected resources on the restricted ports from both allowed and disallowed IP addresses.
    • Ensure that the necessary access is allowed while unauthorized access is denied.

Necessary Codes:

No code is necessary for this task. It requires configuration changes in the AWS Management Console or using the AWS CLI/SDK.

Step-by-step Guide for Remediation:

  1. 1.
    Open the AWS Management Console.
  2. 2.
    Go to the VPC service.
  3. 3.
    Select the appropriate VPC.
  4. 4.
    Click on "Security Groups" in the left sidebar.
  5. 5.
    Identify the security group associated with the affected resources.
  6. 6.
    Review the existing inbound rules.
  7. 7.
    Modify the security group rules as follows:
    • Remove any existing rules that allow unrestricted access on ports 20, 21, 22, 3306, 3389, and 4333.
    • Add new inbound rules for each of the mentioned ports to allow access only from the required IP ranges or specific resources.
  8. 8.
    Save the updated security group configuration.
  9. 9.
    Test the updated configuration by attempting to access the affected resources on the restricted ports.
    • Confirm that access is allowed from the specified IP ranges or specific resources.
    • Ensure that access from unauthorized IP addresses is denied.
  10. 10.
    If required, document the changes made and update any relevant documentation or runbooks.

Note: It is recommended to follow the principle of least privilege and only allow access from sources that are necessary for the functioning of the resources.

Is your System Free of Underlying Vulnerabilities?
Find Out Now