VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)

Description

VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Console Remediation Steps

• Navigate to VPC.

• In the left navigation, select Security Groups.

• Repeat the following steps for each security group that allows ingress from 0.0.0.0/0 port 22.

  • Select the security group and from the Actions drop-down, select Edit inbound rules.

  • Remove any rule(s) that allows ingress from 0.0.0.0/0 port 22 and click Save rules.

CLI Remediation Steps

• List all security groups with an ingress rule of 0.0.0.0/0:

  • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

• Remove the rule:

  • aws ec2 revoke-security-group-ingress --group-id <value> --protocol tcp --port 22 --cidr 0.0.0.0/0

Documentation Links

• Security Groups for Your VPC- Adding, Removing, and Updating Rules

• Updating Security Group Rules

• describe-security-groups Command Line Reference

• revoke-security-group-ingress Command Line Reference