VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)¶
Description¶
VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.
Console Remediation Steps¶
Navigate to VPC.
In the left navigation, select Security Groups.
Repeat the following steps for each security group that allows ingress from 0.0.0.0/0 port 22.
Select the security group and from the Actions drop-down, select Edit inbound rules.
Remove any rule(s) that allows ingress from 0.0.0.0/0 port 22 and click Save rules.
CLI Remediation Steps¶
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the rule:
aws ec2 revoke-security-group-ingress --group-id <value> --protocol <protocol> --port 22 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>