Cloud Defense Logo

Products

Solutions

Company

Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0

This rule ensures that VPC security groups restrict ingress TCP and UDP access from all IPs.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkNIST 800-171 Revision 2
Severity
High

VPC Security Group Rule Description: Restrict Ingress TCP and UDP Access from 0.0.0.0/0 for NIST 800-171 Revision 2

Rule/Policy Description:

According to the NIST 800-171 Revision 2 security standard, the ingress TCP and UDP access within your VPC (Virtual Private Cloud) should be restricted to prevent unauthorized access. Specifically, any inbound traffic originating from the IP address range 0.0.0.0/0 (representing all IP addresses) should be restricted.

Implementing this rule ensures that only specific IP addresses or ranges that are authorized can establish TCP and UDP connections to resources within your VPC.

Troubleshooting Steps:

If you encounter any issues while implementing this rule, follow these troubleshooting steps:

  1. 1.
    Verify that the VPC security group associated with the affected resources is correctly configured.
  2. 2.
    Double-check the rule's configuration to ensure that the ingress TCP and UDP access restrictions are set to the desired values.
  3. 3.
    Make sure that the IP address range being blocked is correctly specified as "0.0.0.0/0."
  4. 4.
    Check if any conflicting security group rules are present. Remove or modify them as needed to align with the NIST 800-171 Revision 2 requirements.
  5. 5.
    Verify that the affected resources are launched within the expected VPC and associated with the correct security group.

If you still encounter issues, consult the AWS documentation or reach out to AWS support for further assistance.

Necessary Codes:

The following code snippet represents an example of a security group rule in AWS CloudFormation to enforce the necessary ingress TCP and UDP restrictions:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  MySecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: My security group with ingress restrictions
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
        - IpProtocol: udp
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0

Step-by-Step Guide for Remediation:

Follow these steps to enforce the required ingress TCP and UDP access restrictions from 0.0.0.0/0 for NIST 800-171 Revision 2:

  1. 1.
    Access the AWS Management Console.
  2. 2.
    Navigate to the VPC service.
  3. 3.
    Select the VPC where your resources are located.
  4. 4.
    In the left sidebar, choose "Security Groups."
  5. 5.
    Identify the security group associated with the resources requiring ingress restrictions.
  6. 6.
    Select the security group.
  7. 7.
    In the "Inbound Rules" or "Ingress" tab, locate any existing rules allowing TCP and UDP traffic from 0.0.0.0/0.
  8. 8.
    Remove the existing rules if present by selecting them and choosing "Delete."
  9. 9.
    Click "Add Rule" or "Create Rule" to create new ingress rules.
  10. 10.
    Choose the "TCP" protocol (or "UDP" for UDP traffic).
  11. 11.
    Set the "Port Range" to allow connections within the desired range (e.g., 0-65535 to allow all ports).
  12. 12.
    Specify the "Source" as "Custom" and enter the IP address range as "0.0.0.0/0."
  13. 13.
    Click "Save" or "Add Rule" to apply the new rule to the security group.
  14. 14.
    Repeat steps 10-13 to add both TCP and UDP ingress rules.
  15. 15.
    Verify that the rules are correctly applied to the security group and resources within your VPC are appropriately protected.
  16. 16.
    Test the changes by trying to establish inbound TCP and UDP connections from IP addresses outside the authorized range. These connections should be rejected by the security group.

By following these steps, you will successfully enforce the necessary ingress TCP and UDP access restrictions from 0.0.0.0/0 according to the NIST 800-171 Revision 2 guidelines.

Is your System Free of Underlying Vulnerabilities?
Find Out Now