VPC security group rules should not permit ingress from ‘’ to port 22 (SSH)


VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation pane, click Security Groups.

    • Remove any rules that include port 22 and have a source of

    • Click Save.


  • List all security groups with an ingress rule of

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the inbound rule(s) that permits unrestricted ingress to port 22:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>



JSON Example Configuration
  "ValidSecurityGroup02": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "SecurityGroupIngress": [
          "CidrIp": "",
          "FromPort": 22,
          "ToPort": 22,
          "IpProtocol": -1
    # other required fields here


YAML Example Configuration
  Type: AWS::EC2::SecurityGroup
    - CidrIp: ''
      FromPort: 22
      ToPort: 22
      IpProtocol: -1
  # other required fields here


  • Ensure that an aws_security_group ingress block does NOT contain both of the following:

    • A in the cidr_blocks field

    • 22 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = []
    from_port   = 22
    to_port     = 22
    # other required fields here