A rule ensuring VPC security groups restrict ingress access on specific ports from all sources.
Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description
This rule enforces that the Virtual Private Cloud (VPC) security groups within your network infrastructure should restrict ingress access on specific ports from any IP address (0.0.0.0/0) in order to comply with NIST 800-53 Revision 5 security guidelines. The restricted ports include 20 (FTP - File Transfer Protocol), 21 (FTP - Secure File Transfer Protocol), 22 (SSH - Secure Shell), 3306 (MySQL), 3389 (RDP - Remote Desktop Protocol), and 4333 (custom port).
Troubleshooting Steps
If you encounter any issues while implementing this rule, you can follow these troubleshooting steps:
Verify security group settings: Check the configuration of your security groups to ensure that the ingress rules are set correctly to restrict access on the specified ports.
Verify IP address ranges: Confirm that the IP address range "0.0.0.0/0" is correctly specified in the ingress rules. Any other IP address range might allow unintended access.
Check for conflicting rules: Ensure that there are no conflicting ingress rules in your security groups that might allow unrestricted access on the specified ports. Conflicting rules can override the intended restrictions.
Verify Network ACLs: If you are using Network ACLs (NACLs) in addition to security groups, ensure that NACLs are also configured to block access on the specified ports from the IP address range "0.0.0.0/0".
Necessary Codes
In order to implement this rule effectively, you may need to interact with your cloud service provider's API or Command-Line Interface (CLI). Here are the necessary codes related to AWS CLI (Amazon Web Services Command-Line Interface) for remediation:
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName --query 'SecurityGroups[0].VpcId' --output text
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 20 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 21 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 22 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3306 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3389 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 4333 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
Step-by-Step Guide for Remediation
Follow these steps to remediate the rule and ensure that VPC security groups restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from 0.0.0.0/0:
Identify the VPC: Determine the VPC in which the target security group resides. This information will be required for the subsequent steps.
Access Command-Line Interface: Open your preferred Command-Line Interface (CLI) tool or terminal.
Install AWS CLI (if not already installed): If you haven't installed the AWS CLI, refer to the official AWS CLI documentation for detailed installation instructions for your operating system.
Configure AWS CLI: Once installed, configure the AWS CLI with your AWS Access Key ID, Secret Access Key, default region, and output format using the "aws configure" command.
Obtain the security group ID: Run the following command to retrieve the ID of the security group to be modified:
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName --query 'SecurityGroups[0].GroupId' --output text
Replace "YourSecurityGroupName" with the name of the target security group.
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName --query 'SecurityGroups[0].VpcId' --output text
Replace "YourSecurityGroupName" with the name of the target security group.
aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 20 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 21 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 22 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3306 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 3389 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId aws ec2 authorize-security-group-ingress --group-id YourSecurityGroupId --protocol tcp --port 4333 --source-cidr-ip 0.0.0.0/0 --vpc-id YourVpcId
Replace "YourSecurityGroupId" and "YourVpcId" with the actual IDs obtained from the previous steps.
aws ec2 describe-security-groups --filters Name=group-name,Values=YourSecurityGroupName
Ensure that the ingress rules for the specified ports now restrict access to IP address "0.0.0.0/0".
By following these steps, you will successfully enforce the VPC security groups to comply with NIST 800-53 Revision 5 guidelines by restricting ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from IP address range 0.0.0.0/0. The provided CLI commands will help you automate the process, ensuring consistent security configurations across your infrastructure.