VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)¶
Description¶
VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation pane, click Security Groups.
Remove any rules that include port 22 and have a source of 0.0.0.0/0.
Click Save.
AWS CLI¶
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the inbound rule(s) that permits unrestricted ingress to port 22:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>
CloudFormation¶
JSON¶
Ensure that an AWS::EC2::SecurityGroup SecurityGroupIngress block does NOT contain both of the following:
JSON Example Configuration¶
{
"ValidSecurityGroup02": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"CidrIp": "10.0.0.0/16",
"FromPort": 22,
"ToPort": 22,
"IpProtocol": -1
}
]
}
# other required fields here
}
}
YAML¶
Ensure that an AWS::EC2::SecurityGroup SecurityGroupIngress block does NOT contain both of the following:
YAML Example Configuration¶
ValidSecurityGroup02:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
- CidrIp: '10.0.0.0/16'
FromPort: 22
ToPort: 22
IpProtocol: -1
# other required fields here
Terraform¶
Ensure that an aws_security_group
ingress
block does NOT contain both of the following:A
0.0.0.0/0
in thecidr_blocks
field22
is within the port range defined fromfrom_port
toto_port
, ORfrom_port
andto_port
are both set to0
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 22
to_port = 22
# other required fields here
}
}