VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 80, unless it is from an AWS Elastic Load Balancer.

Remediation Steps

AWS Console

• Navigate to VPC.

• In the left navigation pane, click Security Groups.

  • Remove any rules that include port 80 and have a source of 0.0.0.0/0.

  • Click Save.

AWS CLI

• List all security groups with an ingress rule of 0.0.0.0/0:

  • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

• Remove the inbound rule(s) that permits unrestricted ingress to port 80:

  • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 80 --cidr 0.0.0.0/0

• Optionally add a more restrictive ingress rule to the selected Security Group:

  • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 80 --cidr <cidr_block>

Terraform

• Ensure that an aws_security_group ingress block does NOT contain both of the following:

  • A 0.0.0.0/0 in the cidr_blocks field

  • 80 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 80
    to_port     = 80
    # other required fields here
  }
}

Documentation Links

AWS Console and CLI

• Security Groups for your VPC: Adding, Removing, and Updating Rules

• Updating Security Group Rules

• describe-security-groups Command Line Reference

• revoke-security-group-ingress Command Line Reference

Terraform

• Resource: aws_security_group

  • Field: ingress