VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)¶
Description¶
VPC security groups should not permit unrestricted access from the internet to port 3389 (RDP). Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server’s exposure to risk.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation, select Security Groups.
For each security group, perform the steps described below.
Select the Security Group, click the Inbound Rules tab, and and click Edit rules.
Remove any rules that include port 3389 and have a source of 0.0.0.0/0.
Click Save.
AWS CLI¶
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the rule:
aws ec2 revoke-security-group-ingress --group-id <value> --protocol <protocol> --port 3389 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 3389 --cidr <cidr_block>
CloudFormation¶
JSON¶
Ensure that an AWS::EC2::SecurityGroup SecurityGroupIngress block does NOT contain both of the following:
JSON Example Configuration¶
{
"ValidSecurityGroup02": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"CidrIp": "10.0.0.0/16",
"FromPort": 3389,
"ToPort": 3389,
"IpProtocol": -1
}
]
}
# other required fields here
}
}
YAML¶
Ensure that an AWS::EC2::SecurityGroup SecurityGroupIngress block does NOT contain both of the following:
YAML Example Configuration¶
ValidSecurityGroup02:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
- CidrIp: '10.0.0.0/16'
FromPort: 3389
ToPort: 3389
IpProtocol: -1
# other required fields here
Terraform¶
Ensure that an aws_security_group
ingress
block does NOT contain both of the following:A
0.0.0.0/0
in thecidr_blocks
field3389
is within the port range defined fromfrom_port
toto_port
, ORfrom_port
andto_port
are both set to0
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 3389
to_port = 3389
# other required fields here
}
}