VPC security group rules should not permit ingress from ‘’ to port 22 (SSH)


VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • Repeat the following steps for each security group that allows ingress from port 22.

    • Select the security group and from the Actions drop-down, select Edit inbound rules.

    • Remove any rule(s) that allows ingress from port 22 and click Save rules.

CLI Remediation Steps

  • List all security groups with an ingress rule of

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the rule:

    • aws ec2 revoke-security-group-ingress --group-id <value> --protocol <protocol> --port 22 --cidr

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>