VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs¶
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5800, unless it is from AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.
Console Remediation Steps¶
Navigate to VPC.
In the left navigation, select Security Groups.
For each security group, perform the steps described below.
Select the Security Group, click the Inbound Rules tab, and and click Edit rules.
Remove any rules that includes port 5900 and has a source of 0.0.0.0/0.
CLI Remediation Steps¶
Remove the inbound rule(s) that permits unrestricted ingress to TCP port 5800 from the selected Security Group:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 5800 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 5800 --cidr <cidr_block>