VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)

Description

VPC security groups should not permit unrestricted access from the internet to port 3389 (RDP). Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server’s exposure to risk.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

    • Select the Security Group, click the Inbound Rules tab, and and click Edit rules.

    • Remove any rules that include port 3389 and have a source of 0.0.0.0/0.

    • Click Save.

AWS CLI

  • List all security groups with an ingress rule of 0.0.0.0/0:

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the rule:

    • aws ec2 revoke-security-group-ingress --group-id <value> --protocol <protocol> --port 3389 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 3389 --cidr <cidr_block>

CloudFormation

JSON

JSON Example Configuration
{
  "ValidSecurityGroup02": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
      "SecurityGroupIngress": [
        {
          "CidrIp": "10.0.0.0/16",
          "FromPort": 3389,
          "ToPort": 3389,
          "IpProtocol": -1
        }
      ]
    }
    # other required fields here
  }
}

YAML

YAML Example Configuration
ValidSecurityGroup02:
  Type: AWS::EC2::SecurityGroup
  Properties:
    SecurityGroupIngress:
    - CidrIp: '10.0.0.0/16'
      FromPort: 3389
      ToPort: 3389
      IpProtocol: -1
  # other required fields here

Terraform

  • Ensure that an aws_security_group ingress block does NOT contain both of the following:

    • A 0.0.0.0/0 in the cidr_blocks field

    • 3389 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 3389
    to_port     = 3389
    # other required fields here
  }
}