Security Groups Rule: Restrict Access to High-Risk Ports

Rule Description:

Troubleshooting Steps:

2. 1.

   Identify the affected security group(s): Determine the security group(s) that have unrestricted access to ports with high risk as identified by NIST 800-171 Revision 2.

4. 2.

   Review the current rules: Analyze the existing rules within the security group(s) to identify any rules that allow unrestricted access to high-risk ports.

6. 3.

   Determine the associated resources: Identify the resources that are associated with the security group(s) in question. This can include instances, load balancers, or any other AWS resources that rely on the security group for access control.

8. 4.

   Assess the potential impact: Evaluate the potential impact of modifying the rules to restrict access to high-risk ports. Ensure that any necessary access for legitimate business needs is preserved.

10. 5.

    Modify the security group rules: Update the security group rules to deny unrestricted access to ports with high risk. Apply specific IP ranges or CIDR blocks that are allowed access, considering the least privilege principle.

12. 6.

    Test the changes: Validate that the updated security group rules are functioning as intended by verifying connectivity and access to the required ports. Test from both inside and outside of the network environment.

14. 7.

    Monitor for compliance: Regularly monitor the security group configurations to ensure ongoing compliance with the rule. Establish a process for reviewing and approving any changes to the security group rules to prevent future unauthorized access.

Necessary Codes:

2. 1.
   Describe security groups:

aws ec2 describe-security-groups --group-ids <security-group-id>

2. 1.
   Modify security group rules:

aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port-range> --source <ip-range>

2. 1.
   Revoke security group rules:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port-range> --source <ip-range>

Step-by-Step Guide for Remediation:

2. 1.

   Identify the security group: Use the AWS Management Console or AWS CLI to identify the security group that needs modification. Note down the security group ID.

4. 2.

   Review the current rules: Obtain the list of security group rules for the identified security group using the

   describe-security-groups

   CLI command.

6. 3.

   Identify unrestricted access rules: Look for any rules that allow unrestricted access to high-risk ports as defined by NIST 800-171 Revision 2. Take note of the affected rules.

8. 4.

   Determine legitimate access requirements: Identify any specific IP ranges or CIDR blocks that should be allowed access to the high-risk ports. Determine the source of legitimate access based on your organization's requirements.

10. 5.

    Modify the security group rules: Use the

    authorize-security-group-ingress

    CLI command to modify the security group rules. Revoke or modify the affected rules to restrict access and allow only the authorized IP ranges or CIDR blocks.

12. 6.

    Test the changes: Validate the modified security group rules by attempting to access the high-risk ports from both inside and outside the network environment. Ensure that access is only granted to the intended IP ranges or CIDR blocks.

14. 7.

    Monitor compliance: Regularly monitor the security group configurations to ensure ongoing compliance with the rule. Create a process to review and approve any future changes to the security group rules to prevent unauthorized access.