VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)

Description

VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Remediation Steps

AWS Console

• Navigate to VPC.

• In the left navigation pane, click Security Groups.

  • Remove any rules that include port 22 and have a source of 0.0.0.0/0.

  • Click Save.

AWS CLI

• List all security groups with an ingress rule of 0.0.0.0/0:

  • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

• Remove the inbound rule(s) that permits unrestricted ingress to port 22:

  • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr 0.0.0.0/0

• Optionally add a more restrictive ingress rule to the selected Security Group:

  • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>

CloudFormation

JSON

• Ensure that an AWS::EC2::SecurityGroup SecurityGroupIngress block does NOT contain both of the following:

  • A 0.0.0.0/0 in the CidrIp field

  • 22 is within the port range defined from FromPort to ToPort, OR FromPort and ToPort are both set to 0

JSON Example Configuration

{
  "ValidSecurityGroup02": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "SecurityGroupIngress": [
        {
          "CidrIp": "10.0.0.0/16",
          "FromPort": 22,
          "ToPort": 22,
          "IpProtocol": -1
        }
      ]
    }
    # other required fields here
  }
}

YAML

• Ensure that an AWS::EC2::SecurityGroup SecurityGroupIngress block does NOT contain both of the following:

  • A 0.0.0.0/0 in the CidrIp field

  • 22 is within the port range defined from FromPort to ToPort, OR FromPort and ToPort are both set to 0

YAML Example Configuration

ValidSecurityGroup02:
  Type: AWS::EC2::SecurityGroup
  Properties:
    SecurityGroupIngress:
    - CidrIp: '10.0.0.0/16'
      FromPort: 22
      ToPort: 22
      IpProtocol: -1
  # other required fields here

Terraform

• Ensure that an aws_security_group ingress block does NOT contain both of the following:

  • A 0.0.0.0/0 in the cidr_blocks field

  • 22 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 22
    to_port     = 22
    # other required fields here
  }
}

Documentation Links

Runtime

• Security Groups for your VPC: Adding, Removing, and Updating Rules

• Updating Security Group Rules

• describe-security-groups Command Line Reference

• revoke-security-group-ingress Command Line Reference

CloudFormation

• Resource: AWS::EC2::SecurityGroup

  • Field: SecurityGroupIngress

  • Field: CidrIp

  • Field: FromPort

  • Field: ToPort

Terraform

• Resource: aws_security_group

  • Field: ingress