VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 5500. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

  • Select the Security Group, click the Inbound Rules tab, and and click Edit rules.

  • Remove any rules that includes port 5500 and has a source of 0.0.0.0/0.

  • Click Save.

CLI Remediation Steps

  • Remove the inbound rule(s) that permits unrestricted ingress to TCP port 5500 from the selected Security Group:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 5500 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 5500 --cidr <cidr_block>