Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress Access on Common Ports

This rule ensures that VPC security groups restrict ingress access on specific common ports to enhance network security.

RuleVPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
High

Rule Description:

This rule enforces the restriction of ingress access on specific ports (20, 21, 22, 3306, 3389, and 4333) from the IP address range of 0.0.0.0/0 within the AWS VPC security groups. By implementing this rule, organizations can enhance the security of their VPCs by strictly controlling access to these ports, thereby reducing the attack surface and potential vulnerabilities.

Troubleshooting Steps:

  2. 1.

    Identify the affected VPC security groups: Review all the VPC security groups within your AWS environment to determine which security groups are allowing ingress access on the mentioned ports from the IP address range of 0.0.0.0/0.

  4. 2.

    Validate existing ingress rules: Check if the mentioned ports (20, 21, 22, 3306, 3389, and 4333) have any existing ingress rules allowing access from the IP address range of 0.0.0.0/0. If such rules exist, it means the security groups are not compliant with the rule/policy.

  6. 3.

    Analyze dependencies: Before modifying any security group rules, ensure that there are no legitimate dependencies on these open ports from the IP address range of 0.0.0.0/0. Check with the system/network administrators and application owners to understand if any external access is required on these ports.

  8. 4.

    Update security group rules: Once you have validated that there are no legitimate dependencies, modify the respective security group rules to restrict ingress access on ports 20, 21, 22, 3306, 3389, and 4333 to a more restrictive IP range (e.g., specific IPs or CIDR blocks).

  10. 5.

    Verify the changes: After modifying the security group rules, revalidate if the ingress access has been restricted successfully by testing connectivity from external sources to the mentioned ports.

Necessary Codes:

There are no specific codes required for this rule as it involves modifying the security group rules within the AWS Management Console or through CLI commands.

Step-by-Step Guide for Remediation:

  2. 1.
    Log in to the AWS Management Console.
  4. 2.
    Go to the VPC Dashboard.
  6. 3.
    Navigate to the "Security Groups" section.
  8. 4.
    Identify the security group(s) that need to be modified based on the rule/policy.
  10. 5.
    Select the security group that requires modification.
  12. 6.
    Click on the "Inbound Rules" tab.
  14. 7.
    Locate the existing rules allowing ingress access on ports 20, 21, 22, 3306, 3389, and 4333 from the IP address range of 0.0.0.0/0.
  16. 8.
    Edit each of these rules and change the source IP range to a more restrictive one. For example, you can specify specific IP addresses or CIDR blocks that are allowed to access these ports.
  18. 9.
    Save the changes to update the security group rules.
  20. 10.
    Repeat steps 5-9 for any other security groups that need to be modified.
  22. 11.
    After updating all relevant security groups, perform connectivity tests to validate that access to the listed ports is now restricted.

Note: Make sure to communicate and coordinate with the relevant stakeholders and follow proper change management procedures before making any modifications to the security group rules.

Is your System Free of Underlying Vulnerabilities?
Find Out Now