VPC security group inbound rules should not permit ingress from a public address to all ports and protocols¶
Description¶
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation, select Security Groups.
For each security group, perform the steps described below.
Select the Security Group, click the Inbound Rules tab, and click Edit rules.
Remove any rules that permit ingress from any public address to all ports and protocols.
Click Save.
AWS CLI¶
Remove all ingress rules which allow connectivity from a public CIDR block to all ports and protocols:
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=tcp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=65535'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=udp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=65535'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmpv6,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=-1,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'
Terraform¶
Ensure that the aws_security_group
ingress
block does NOT contain both of the following:A public CIDR block; i.e.,
cidr_blocks
is set to anything EXCEPT the following valid blocks:10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Any invalid port range:
from_port
andto_port
are both set to0
from_port
is set to0
andto_port
is set to65535
Example Configuration¶
resource "aws_security_group" "inbound-all-private" {
name = "inbound-all-private"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["192.168.0.0/24"]
}
}