VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (Remote Desktop Protocol)

Description

VPC security groups should not permit unrestricted access from the internet to port 3389 (RDP). Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server’s exposure to risk.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • For each security group, perform the steps described below.

  • Select the Security Group, click the Inbound Rules tab, and and click Edit rules.

  • Remove any rules that includes port 3389 and has a source of 0.0.0.0/0.

  • Click Save.

CLI Remediation Steps

  • List all security groups with an ingress rule of 0.0.0.0/0:

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the rule:

    • aws ec2 revoke-security-group-ingress --group-id <value> --protocol tcp --port 3389 --cidr 0.0.0.0/0