Rule: VPC Security Groups should restrict Ingress Access on Common Ports
This rule ensures VPC security groups restrict ingress on common ports to enhance network security.
| Rule | VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0 |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ High |
VPC Security Group Ingress Access Restriction
Rule Description
According to the RBI Cyber Security Framework, it is recommended to restrict ingress access to specific ports within a VPC security group. This measure aims to enhance the overall security of the VPC infrastructure by blocking unauthorized incoming traffic.
The following ports should be restricted:
- Port 20 (FTP Data): Used for FTP data transfer
- Port 21 (FTP Control): Used for FTP control commands
- Port 22 (SSH): Used for secure remote access via SSH
- Port 3306 (MySQL): Used for MySQL database access
- Port 3389 (RDP): Used for remote desktop access
- Port 4333: (Unspecified Application): As per RBI Cyber Security Framework recommendation, restrict access on this port
By implementing this rule, only authorized sources will be able to access these ports, strengthening the security posture of the VPC.
Troubleshooting Steps
If you encounter any issues with implementing the ingress access restriction rule, follow these troubleshooting steps:
- 1.
Verify the VPC Security Group: Double-check that you are modifying the correct security group associated with the VPC.
- 2.
Allow Required Sources: Ensure that the desired sources are correctly specified when modifying the security group's ingress rules. The rule should allow access only from specific IP ranges or specific security groups.
- 3.
Check Protocol and Ports: Verify that the protocol and port numbers for each service are correctly configured. For example, FTP typically uses TCP, while SSH and RDP use TCP port 22 and 3389, respectively.
- 4.
Verify Outbound Rules: Make sure that the security group's outbound rules do not unintentionally restrict the required egress traffic.
Remediation Steps
To implement the ingress access restriction rule in a VPC security group, follow these steps:
- 1.
Identify the Security Group: Determine the security group associated with the VPC that requires ingress access restriction.
- 2.
Access Security Group Settings: Login to the AWS Management Console or use the AWS CLI to access the VPC Dashboard and navigate to the Security Groups section.
- 3.
Select the Security Group: Locate the correct security group and select it for modification.
- 4.
Edit Ingress Rules: Within the selected security group, locate the "Inbound Rules" configuration and edit the rules.
- 5.
Add New Rules: Add the following inbound rules to restrict ingress access on the specified ports:
Port 20: Restrict access to source IP range: 0.0.0.0/0 Port 21: Restrict access to source IP range: 0.0.0.0/0 Port 22: Restrict access to source IP range: 0.0.0.0/0 Port 3306: Restrict access to source IP range: 0.0.0.0/0 Port 3389: Restrict access to source IP range: 0.0.0.0/0 Port 4333: Restrict access to source IP range: 0.0.0.0/0
- 1.
Save Changes: After adding the new rules, save the changes to apply the ingress access restrictions.
- 2.
Verify the Rules: Review the modified security group's inbound rules to ensure that the restrictions are correctly applied.
By following these steps, you will successfully restrict ingress access on the specified ports within the VPC security group, aligning with the RBI Cyber Security Framework recommendations.