Rule: VPC security groups should restrict ingress SSH access from 0.0.0.0/0
A high severity rule stating that VPC security groups must restrict ingress SSH access from 0.0.0.0/0.
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
VPC Security Group Rule Restriction for SSH Access
Description:
To comply with the NIST 800-53 Revision 5 security standard, ingress SSH (Secure Shell) access to the VPC (Virtual Private Cloud) instances should be restricted to known and trusted IP addresses rather than allowing access from any source (0.0.0.0/0).
Policy Details:
- Only specific IP addresses or IP ranges should be allowed to establish SSH connections to the VPC instances.
- Allowing SSH access from any source IP address increases the risk of unauthorized access and potential security breaches.
- By implementing this policy, the security posture of the VPC is enhanced, ensuring that only authorized users and systems can access the instances via SSH.
Troubleshooting Steps:
- 1.
Issue: SSH access is not restricted. Resolution: Verify that the security group rules have been properly configured and associated with the VPC instances. Ensure that ingress SSH access is limited to the required IP addresses or IP ranges.
- 2.
Issue: SSH access is restricted, but connectivity issues arise. Resolution: Confirm that the correct IP address or IP range has been allowed for SSH access. Double-check any changes made to the security group rules. Verify that there are no conflicts with Network Access Control Lists (NACLs) or other security policies.
Necessary Codes:
In order to apply the necessary restrictions on SSH access to the VPC security group, the following code snippets can be used:
AWS CLI:
aws ec2 authorize-security-group-ingress \ --group-id <security-group-id> \ --protocol tcp \ --port 22 \ --source-ip <trusted-ip-address>
AWS SDK (Python):
import boto3 ec2 = boto3.client('ec2') response = ec2.authorize_security_group_ingress( GroupId='<security-group-id>', IpPermissions=[ { 'FromPort': 22, 'ToPort': 22, 'IpProtocol': 'tcp', 'IpRanges': [ { 'CidrIp': '<trusted-ip-address>', }, ], }, ], )
Step-by-Step Guide for Remediation:
- 1.Identify the security group associated with the VPC instances that require SSH access restriction.
- 2.Determine the trusted IP address(es) or IP range(s) allowed to establish SSH connections.
- 3.Apply one of the provided code snippets (CLI or SDK) to update the security group configuration.
- Replace
with the actual security group ID.<security-group-id> - Replace
with the trusted IP address/es or IP range/s.<trusted-ip-address>
- 4.Execute the code to authorize the updated security group ingress rule.
- 5.Verify that the SSH access is now restricted as intended.
- 6.Retest SSH connectivity to the VPC instances using the allowed IP address/es or IP range/s.
Following these steps will effectively restrict SSH access to the VPC instances from only trusted IP addresses or IP ranges in compliance with the NIST 800-53 Revision 5 standard.