VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 80, unless it is from an AWS Elastic Load Balancer.

Console Remediation Steps

  • Navigate to EC2.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

    • Select the security group, click the Inbound Rules tab, and identify any rules that include ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP).

  • In the left navigation, select Load Balancers.

    • If needed, create a load balancer.

    • Select a load balancer and click Edit Security Groups on the Description tab.

    • Select the security group(s) that include ingress from ‘0.0.0.0/0’ to TCP port 80, unless that security group is already associated with an ELB.

    • Click Save.

CLI Remediation Steps

  • For each security group that includes ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), associate it with a load balancer:

    • aws elb apply-security-groups-to-load-balancer --load-balancer-name <name> --security-groups <security group IDs>