VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)

Description

VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation pane, click Security Groups.

    • Remove any rules that include port 22 and have a source of 0.0.0.0/0.

    • Click Save.

AWS CLI

  • List all security groups with an ingress rule of 0.0.0.0/0:

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the inbound rule(s) that permits unrestricted ingress to port 22:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>

CloudFormation

JSON

JSON Example Configuration
{
  "ValidSecurityGroup02": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "SecurityGroupIngress": [
        {
          "CidrIp": "10.0.0.0/16",
          "FromPort": 22,
          "ToPort": 22,
          "IpProtocol": -1
        }
      ]
    }
    # other required fields here
  }
}

YAML

YAML Example Configuration
ValidSecurityGroup02:
  Type: AWS::EC2::SecurityGroup
  Properties:
    SecurityGroupIngress:
    - CidrIp: '10.0.0.0/16'
      FromPort: 22
      ToPort: 22
      IpProtocol: -1
  # other required fields here

Terraform

  • Ensure that an aws_security_group ingress block does NOT contain both of the following:

    • A 0.0.0.0/0 in the cidr_blocks field

    • 22 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 22
    to_port     = 22
    # other required fields here
  }
}