Rule: VPC security groups should restrict ingress SSH access from 0.0.0.0/0
This rule ensures VPC security groups limit SSH access from 0.0.0.0/0 for enhanced security
| Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ High |
Rule Description:
This rule is designed to ensure that the ingress SSH access to VPC security groups is restricted to a specific IP range (0.0.0.0/0) in accordance with the NIST 800-53 Revision 5 security standard. By implementing this rule, organizations can enhance the security of their VPCs by limiting the potential attack surface and reducing the risk of unauthorized access to SSH services.
Troubleshooting Steps:
If there are any issues or complications while implementing this rule, the following troubleshooting steps can be followed:
- 1.
Verify the existing security group configurations:
- Check if the security group associated with the VPC is correctly configured.
- Ensure that the inbound rules for SSH access are properly set.
- 2.
Verify the IP range restriction:
- Check if the IP range for SSH access is set to 0.0.0.0/0.
- Confirm that no other IP ranges are allowed for SSH access.
- 3.
Verify network ACL configurations:
- Ensure that the network ACLs do not override the security group settings.
- Check if there are any conflicting rules in the network ACLs.
- 4.
Review VPC peering or VPN configurations:
- Verify if the VPC is peered with another VPC or connected through a VPN.
- Ensure that the appropriate security groups are applied to the peering connection or VPN.
Necessary Code:
In order to enforce this rule, you may utilize the AWS Command Line Interface (CLI) or AWS CloudFormation templates to make the necessary changes to the security group configuration. Below are code snippets that can be used as a reference:
AWS CLI Command:
aws ec2 authorize-security-group-ingress --group-id [security_group_id] --protocol tcp --port 22 --cidr 0.0.0.0/0
CloudFormation Template:
Mappings:
SecurityGroupMapping:
Region1:
IngressSSH:
Protocol: tcp
Port: 22
CIDR: 0.0.0.0/0
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: My Security Group
SecurityGroupIngress:
- CidrIp: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, CIDR]
IpProtocol: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, Protocol]
FromPort: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, Port]
ToPort: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, Port]
# Rest of the CloudFormation template...
Remediation steps:
To remediate the issue and apply the necessary controls for restricting SSH access to the VPC security groups, follow these step-by-step instructions:
- 1.
Identify the relevant security group associated with your VPC that needs to be updated.
- 2.
Open the AWS Management Console and navigate to the EC2 service.
- 3.
Select the appropriate region and click on "Security Groups" in the left-hand menu.
- 4.
Locate the target security group from the list and click on its name to access its details.
- 5.
In the "Inbound Rules" tab, identify the existing SSH rule (port 22) and remove any existing IP ranges.
- 6.
Add a new inbound rule with the following details:
- Type: SSH
- Protocol: TCP
- Port Range: 22
- Source: 0.0.0.0/0 (this restricts access to the specific IP range)
- 7.
Save the changes and confirm the modifications.
Once these steps are completed, the SSH access to the targeted VPC security groups will be effectively restricted to the specified IP range (0.0.0.0/0) in alignment with the NIST 800-53 Revision 5 security standard.