Rule: VPC Security Groups should restrict Ingress Access on Common Ports
This rule ensures VPC security groups restrict ingress access on commonly used ports from specific IP ranges.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
This rule ensures that the ingress access to certain ports in the Virtual Private Cloud (VPC) security groups is properly restricted. Specifically, it requires that ports 20, 21, 22, 3306, 3389, and 4333 do not allow incoming connections from any IP address (0.0.0.0/0) except for authorized sources. This restriction is implemented to comply with the security standards outlined in the NIST 800-53 Revision 5.
Possible Troubleshooting Steps:
- 1.Ensure that the security group associated with the VPC is correctly configured.
- 2.Verify that the specified ports (20, 21, 22, 3306, 3389, 4333) are added to the inbound rules of the security group.
- 3.Double-check the IP range specified (0.0.0.0/0) to ensure it restricts access from unauthorized sources.
Necessary Code:
No specific code is provided for this rule. The configuration changes will be made using the AWS Management Console or command-line interface (CLI).
Step-by-Step Guide for Remediation:
- 1.
Login to the AWS Management Console (https://console.aws.amazon.com/) using appropriate credentials.
- 2.
Navigate to the VPC service.
- 3.
Select the desired VPC where the security group is located.
- 4.
Locate and select the appropriate security group associated with the VPC.
- 5.
Once selected, go to the "Inbound Rules" or "Ingress" section.
- 6.
Find the existing rule for ports 20, 21, 22, 3306, 3389, and 4333.
- 7.
Edit the existing rule to restrict ingress access to authorized IP ranges only.
- 8.
Add the authorized IP ranges (such as specific CIDR blocks or individual IP addresses) that are allowed to access these ports.
- 9.
Remove the default rule that allows ingress access from 0.0.0.0/0.
- 10.
Review and save the updated security group configuration.
- 11.
Test the updated security group by attempting to connect to the specified ports from an unauthorized IP address to ensure access is blocked.
- 12.
Monitor the security group's inbound traffic to ensure that only authorized sources can access the allowed ports.
Note: Ensure that you have verified the IP ranges and authorized sources before making any changes to the security group configuration.
Conclusion:
By implementing this rule, you adhere to the NIST 800-53 Revision 5 guidelines by restricting ingress access to specific ports in the VPC security group, thereby strengthening the overall security of your AWS resources.