This rule focuses on restricting Ingress SSH access to enhance VPC security.
Rule | VPC security groups should restrict ingress SSH access from 0.0.0.0/0 |
Framework | SOC 2 |
Severity | ✔ High |
Rule Description:
The VPC security groups should have a rule to restrict ingress SSH access from the IP range 0.0.0.0/0 specifically for SOC 2 compliance. This rule ensures that only authorized sources can establish SSH connections to the instances within the VPC. By narrowing down the allowed IP range for SSH access, it helps to minimize the risk of unauthorized access and potential security breaches.
Troubleshooting Steps:
If there are any issues related to the VPC security groups not restricting ingress SSH access as per the specified rule, you can follow these troubleshooting steps:
Verify Security Group Rules: Check the inbound rules of the associated security group to ensure that there is a specific rule allowing SSH access from the IP range 0.0.0.0/0.
Confirm Security Group Association: Validate that the security group with the SSH rule is correctly associated with the desired VPC. If not, associate it with the appropriate VPC.
VPC Subnet Routing: Ensure that the instances within the VPC are deployed within the appropriate subnet and that the subnet's routing is correctly configured.
Network ACLs: Confirm that the Network Access Control Lists (ACLs) associated with the VPC subnets do not have any conflicting rules that may override the security group's SSH access restriction.
NACL Ingress Rules: Verify the inbound rules of the Network ACLs associated with the subnets to ensure that they do not allow SSH access from unauthorized IP ranges.
Security Group Outbound Rules: Validate that the security group does not have any outbound rules that may inadvertently allow SSH connections to unauthorized destinations.
Necessary Codes:
Typically, setting up the necessary rule to restrict ingress SSH access from 0.0.0.0/0 for SOC 2 compliance requires modification of the VPC security group through the AWS Management Console or using AWS CLI commands. Here is an example of the AWS CLI command to add the required rule:
aws ec2 authorize-security-group-ingress --group-id <security_group_id> --protocol tcp --port 22 --cidr 0.0.0.0/0
Ensure to replace
<security_group_id>
with the actual ID of the security group you want to modify.Step-by-Step Guide for Remediation:
Open the AWS Management Console and navigate to the EC2 service.
Click on "Security Groups" in the navigation pane on the left.
Identify the security group associated with the VPC that needs to restrict SSH access.
Select the appropriate security group by clicking on its name.
In the "Inbound rules" tab, click on "Edit inbound rules."
Click on "Add rule" and configure the following details:
Click on "Save rules" to apply the changes.
Verify that the SSH access from 0.0.0.0/0 is now restricted according to the specified rule.
Note: Ensure that the above steps and CLI command are executed within the appropriate AWS account with proper access and permissions.