Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: VPC Security Groups Should Restrict Ingress TCP and UDP Access from 0.0.0.0/0

This rule emphasizes the importance of restricting TCP and UDP access in VPC security groups to enhance security measures.

RuleVPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
High

Rule Description

The rule/policy mandates that the ingress TCP and UDP access for VPC security groups should be limited to prevent unrestricted access from any source IP address (0.0.0.0/0). This restriction is based on the NIST Cybersecurity Framework (CSF) version 1.

Troubleshooting Steps

If this rule is not implemented correctly, troubleshooting steps can be followed to identify and resolve any issues that may arise. The possible steps are as follows:

  1. 1.

    Verify Security Group Rules: Check the current configuration of the security group rules associated with the VPC. Ensure that there are no inbound TCP and UDP rules allowing unrestricted access from 0.0.0.0/0.

  2. 2.

    Evaluate Access Requirements: Review the specific requirements and determine if any exceptions need to be made for inbound TCP and UDP access. If there are valid reasons to allow specific ports or IP ranges, they should be documented and configured accordingly.

  3. 3.

    Update Security Group Rules: If the existing security group rules do not comply with the policy, modify them to restrict ingress TCP and UDP access from 0.0.0.0/0 to the necessary range of IP addresses or specific IPs mentioned in the NIST CSF v1.

  4. 4.

    Test Connectivity: After implementing the updated security group rules, verify the connectivity to the required resources/services. Test the TCP and UDP connectivity from both internal and external sources to ensure that only the intended access is allowed.

Necessary Codes (if applicable)

The necessary codes in this case involve the modification of security group rules to restrict ingress TCP and UDP access. The code snippet to achieve this using the AWS Command Line Interface (CLI) is as follows:

# Update inbound rule for TCP access
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-range> --cidr <cidr-range>

# Update inbound rule for UDP access
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol udp --port <port-range> --cidr <cidr-range>

Replace

<security-group-id>
with the actual ID of the security group you want to modify.
<port-range>
should be replaced with the specific port or range of ports, and
<cidr-range>
should be replaced with the IP range or specific IP address mentioned in the NIST CSF v1.

Step-by-Step Guide for Remediation

Follow the step-by-step guide below to remediate the rule violation:

  1. 1.

    Access AWS Management Console: Log in to the AWS Management Console using appropriate credentials.

  2. 2.

    Navigate to VPC Dashboard: Go to the VPC service dashboard by searching for "VPC" in the services search bar and selecting the appropriate option.

  3. 3.

    Select Security Groups: In the left sidebar, click on "Security Groups" to view the list of existing security groups.

  4. 4.

    Choose Relevant Security Group: Identify the security group that needs to be modified based on the NIST CSF v1 guidelines, and select it by clicking on its name.

  5. 5.

    Review Inbound Rules: In the selected security group details, navigate to the "Inbound Rules" tab or section. Review the existing rules to ensure they comply with the ingress TCP and UDP restrictions mentioned in the NIST CSF v1.

  6. 6.

    Update TCP Ingress Rule: If any TCP inbound rules allow access from 0.0.0.0/0, click the "Edit" or "Add Rule" button. Add a new rule to restrict the TCP ingress access to the specific IP range or IP address mentioned in the NIST CSF v1. Save the rule.

  7. 7.

    Update UDP Ingress Rule: If any UDP inbound rules allow access from 0.0.0.0/0, click the "Edit" or "Add Rule" button. Add a new rule to restrict the UDP ingress access to the specific IP range or IP address mentioned in the NIST CSF v1. Save the rule.

  8. 8.

    Verify and Test Connectivity: After updating the security group rules, verify the changes and test the connectivity to the relevant resources/services. Ensure that the required TCP and UDP access is allowed, while access from other sources is restricted as per the policy.

  9. 9.

    Document and Monitor the Changes: Keep a record of the changes made to the security group and monitor them regularly to ensure ongoing compliance with the NIST CSF v1.

By following these steps, you will be able to remediate the non-compliant security group rules and enforce the necessary restrictions on ingress TCP and UDP access for VPC security groups based on the NIST CSF v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now