This rule ensures VPC security groups limit SSH access from 0.0.0.0/0 for enhanced security
Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
Framework | NIST 800-53 Revision 5 |
Severity | ✔ High |
Rule Description:
This rule is designed to ensure that the ingress SSH access to VPC security groups is restricted to a specific IP range (0.0.0.0/0) in accordance with the NIST 800-53 Revision 5 security standard. By implementing this rule, organizations can enhance the security of their VPCs by limiting the potential attack surface and reducing the risk of unauthorized access to SSH services.
Troubleshooting Steps:
If there are any issues or complications while implementing this rule, the following troubleshooting steps can be followed:
Verify the existing security group configurations:
Verify the IP range restriction:
Verify network ACL configurations:
Review VPC peering or VPN configurations:
Necessary Code:
In order to enforce this rule, you may utilize the AWS Command Line Interface (CLI) or AWS CloudFormation templates to make the necessary changes to the security group configuration. Below are code snippets that can be used as a reference:
AWS CLI Command:
aws ec2 authorize-security-group-ingress --group-id [security_group_id] --protocol tcp --port 22 --cidr 0.0.0.0/0
CloudFormation Template:
Mappings:
SecurityGroupMapping:
Region1:
IngressSSH:
Protocol: tcp
Port: 22
CIDR: 0.0.0.0/0
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: My Security Group
SecurityGroupIngress:
- CidrIp: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, CIDR]
IpProtocol: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, Protocol]
FromPort: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, Port]
ToPort: !FindInMap [SecurityGroupMapping, Region1, IngressSSH, Port]
# Rest of the CloudFormation template...
Remediation steps:
To remediate the issue and apply the necessary controls for restricting SSH access to the VPC security groups, follow these step-by-step instructions:
Identify the relevant security group associated with your VPC that needs to be updated.
Open the AWS Management Console and navigate to the EC2 service.
Select the appropriate region and click on "Security Groups" in the left-hand menu.
Locate the target security group from the list and click on its name to access its details.
In the "Inbound Rules" tab, identify the existing SSH rule (port 22) and remove any existing IP ranges.
Add a new inbound rule with the following details:
Save the changes and confirm the modifications.
Once these steps are completed, the SSH access to the targeted VPC security groups will be effectively restricted to the specified IP range (0.0.0.0/0) in alignment with the NIST 800-53 Revision 5 security standard.