VPC security group inbound rules should not permit ingress from a public address to all ports and protocols

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

    • Select the Security Group, click the Inbound Rules tab, and click Edit rules.

    • Remove any rules that permit ingress from any public address to all ports and protocols.

    • Click Save.

AWS CLI

  • Remove all ingress rules which allow connectivity from a public CIDR block to all ports and protocols:

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=tcp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=65535'

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=udp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=65535'

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmpv6,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=-1,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'

Terraform

  • Ensure that the aws_security_group ingress block does NOT contain both of the following:

    • A public CIDR block; i.e., cidr_blocks is set to anything EXCEPT the following valid blocks:

      • 10.0.0.0/8

      • 172.16.0.0/12

      • 192.168.0.0/16

    • Any invalid port range:

      • from_port and to_port are both set to 0

      • from_port is set to 0 and to_port is set to 65535

Example Configuration

resource "aws_security_group" "inbound-all-private" {
  name = "inbound-all-private"

  ingress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["192.168.0.0/24"]
  }
}