VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)

Description

VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • Repeat the following steps for each security group that allows ingress from 0.0.0.0/0 port 22.

    • Select the security group and from the Actions drop-down, select Edit inbound rules.

    • Remove any rule(s) that allows ingress from 0.0.0.0/0 port 22 and click Save rules.

CLI Remediation Steps

  • List all security groups with an ingress rule of 0.0.0.0/0:

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the rule:

    • aws ec2 revoke-security-group-ingress --group-id <value> --protocol <protocol> --port 22 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 22 --cidr <cidr_block>