VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 80, unless it is from AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

  • Select the Security Group, click the Inbound Rules tab, and and click Edit rules.

  • Remove any rules that includes pingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs.

  • Click Save.

CLI Remediation Steps

  • Remove the inbound rule(s) that permits unrestricted ingress to TCP port 80 from the selected Security Group:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 80 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 80 --cidr <cidr_block>