VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols¶
Description¶
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access from 0.0.0.0/0 to all ports. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation, select Security Groups.
For each security group, perform the steps described below.
Select the Security Group, click the Inbound Rules tab, and and click Edit rules.
Remove any rules that permit ingress from ‘0.0.0.0/0’ to all ports and protocols.
Click Save.
AWS CLI¶
Remove ingress rules which allow connectivity from anywhere to all ports and protocols:
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=tcp,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}],ToPort=65535'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=udp,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}],ToPort=65535'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmp,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}],ToPort=-1'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=-1,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}],ToPort=-1'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmpv6,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}],ToPort=-1'
Terraform¶
Ensure that an aws_security_group
ingress
block does NOT contain both of the following:A
0.0.0.0/0
in thecidr_blocks
fieldAny invalid port range:
from_port
andto_port
are both set to0
from_port
is set to0
andto_port
is set to65535
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 0
to_port = 0
# other required fields here
}
}