Rule: VPC Security Groups should restrict Ingress TCP and UDP Access from 0.0.0.0/0
This rule ensures VPC Security Groups restrict Ingress TCP and UDP Access from 0.0.0.0/0 to enhance network security.
| Rule | VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
This rule is focused on ensuring that the VPC security groups follow the best security practices by restricting ingress TCP and UDP access from the 0.0.0.0/0 IP address range. This helps in limiting the potential attack surface and reduces the risk of unauthorized access to the system.
Rationale
The rule is based on the NIST 800-171 Revision 2 security framework, which provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Restricting access from 0.0.0.0/0 helps in meeting the security requirements outlined by NIST and enhances the overall security posture of the system.
Impact of Non-Compliance
Non-compliance with this rule can lead to potential security risks such as unauthorized access to sensitive information, data breaches, and compromise of system integrity. It can also result in non-compliance with regulatory and industry standards, leading to legal and reputational consequences.
Troubleshooting Steps
- 1.Identify the security group associated with the affected VPC or subnets.
- 2.Check the existing inbound rules for TCP and UDP protocols.
- 3.Verify if there are any rules allowing unrestricted access (0.0.0.0/0) for TCP and UDP.
- 4.If such rules are present, consider restricting access to specific IP ranges or security groups.
- 5.Ensure that the required network access is allowed for legitimate traffic while blocking access from the 0.0.0.0/0 range.
Recommended Actions
Follow the steps below to remediate the non-compliance by restricting ingress TCP and UDP access from 0.0.0.0/0:
- 1.Identify the affected VPC or subnets.
- 2.Determine the security group(s) associated with the VPC or subnets.
- 3.Access the AWS Management Console or use the AWS Command Line Interface (CLI) for making the necessary changes.
- 4.Retrieve the details of the security group(s) using the following command:
aws ec2 describe-security-groups --group-ids <security-group-id>
- 1.Update the security group(s) to remove any existing inbound rules allowing access from 0.0.0.0/0 for TCP and UDP.
- 2.Add specific IP ranges or security group(s) that need access to the inbound rules.
- 3.Verify and validate the changes to ensure that the required access is still allowed while restricting access from 0.0.0.0/0.
- 4.Test the connectivity to ensure the proper functioning of the system.
Example AWS CLI Commands
To retrieve and modify the security group(s) using the AWS CLI, use the following commands:
- 1.To list all security groups associated with the VPC:
aws ec2 describe-security-groups --filters "Name=vpc-id,Values=<vpc-id>"
- 1.To remove an existing inbound rule that allows access from 0.0.0.0/0:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr 0.0.0.0/0
- 1.To add a new inbound rule that allows access from a specific IP range:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port> --cidr <ip-range>
Make sure to replace
<vpc-id><security-group-id><port><ip-range>References