VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)

Description

VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Console Remediation Steps

• Navigate to VPC.

• In the left navigation, select Security Groups.

• Repeat the following steps for each security group that allows ingress from 0.0.0.0/0 port 22.

  • Select the security group and from the Actions drop-down, select Edit inbound rules.

  • Remove any rule(s) that allows ingress from 0.0.0.0/0 port 22 and click Save rules.

CLI Remediation Steps

• List all security groups with an ingress rule of 0.0.0.0/0:

  • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

• Remove the rule:

  • aws ec2 revoke-security-group-ingress --group-id <value> --protocol <protocol> --port 22 --cidr 0.0.0.0/0

• Optionally add a more restrictive ingress rule to the selected Security Group:

  • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>

Documentation Links

• Security Groups for Your VPC: Adding, Removing, and Updating Rules

• Updating Security Group Rules

• describe-security-groups Command Line Reference

• revoke-security-group-ingress Command Line Reference