This rule ensures that VPC security groups restrict ingress TCP and UDP access from all IPs.
Rule | VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0 |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ High |
VPC Security Group Rule Description: Restrict Ingress TCP and UDP Access from 0.0.0.0/0 for NIST 800-171 Revision 2
Rule/Policy Description:
According to the NIST 800-171 Revision 2 security standard, the ingress TCP and UDP access within your VPC (Virtual Private Cloud) should be restricted to prevent unauthorized access. Specifically, any inbound traffic originating from the IP address range 0.0.0.0/0 (representing all IP addresses) should be restricted.
Implementing this rule ensures that only specific IP addresses or ranges that are authorized can establish TCP and UDP connections to resources within your VPC.
Troubleshooting Steps:
If you encounter any issues while implementing this rule, follow these troubleshooting steps:
If you still encounter issues, consult the AWS documentation or reach out to AWS support for further assistance.
Necessary Codes:
The following code snippet represents an example of a security group rule in AWS CloudFormation to enforce the necessary ingress TCP and UDP restrictions:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: My security group with ingress restrictions
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
Step-by-Step Guide for Remediation:
Follow these steps to enforce the required ingress TCP and UDP access restrictions from 0.0.0.0/0 for NIST 800-171 Revision 2:
By following these steps, you will successfully enforce the necessary ingress TCP and UDP access restrictions from 0.0.0.0/0 according to the NIST 800-171 Revision 2 guidelines.