ELB listener security groups should not be set to TCP all¶
Description¶
ELB security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.
Remediation Steps¶
AWS Console¶
Navigate to EC2.
In the left navigation, select Load Balancers.
Select the desired load balancer.
In the Description tab under Security, take note of the security groups associated with the load balancer.
In the left navigation, select Security Groups.
Search and select the security groups from the previous step.
Click the Inbound tab. Click Edit and remove any references to TCP all.
Click Save.
Click the Outbound tab. Click Edit and remove any references to TCP all.
Click Save.
AWS CLI¶
List all load balancers and their attributes:
aws elb describe-load-balancers
Make note of each Security Group ID associated with each ELB.
Get security group details:
aws ec2 describe-security-groups --group-ids <group id>
In the output, if FromPort is 0 and ToPort is 65535, this means the rule Type is ALL TCP. If this is the case, run the following command to remove those rules.
Remove the rule that opens all tcp ports:
aws ec2 revoke-security-group-ingress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>
aws ec2 revoke-security-group-egress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>
CloudFormation¶
JSON¶
Ensure that AWS::EC2::SecurityGroup does not have a
FromPort
of0
and aToPort
of65535
:
{
"Properties" : {
"GroupDescription" : "Allow http to client host",
"VpcId" : {"Ref" : "myVPC"},
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}],
"SecurityGroupEgress" : [{
"IpProtocol" : "tcp",
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}]
}
}
JSON Example Configuration¶
{
"InstanceSecurityGroup" : {
"Type" : "AWS::EC2::SecurityGroup",
"Properties" : {
"GroupDescription" : "Allow http to client host",
"VpcId" : {"Ref" : "myVPC"},
"SecurityGroupIngress" : [{
"IpProtocol" : "tcp",
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}],
"SecurityGroupEgress" : [{
"IpProtocol" : "tcp",
"FromPort" : 80,
"ToPort" : 80,
"CidrIp" : "0.0.0.0/0"
}]
}
}
# other required fields here
}
YAML¶
Ensure that AWS::EC2::SecurityGroup does not have a
FromPort
of0
and aToPort
of65535
:
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
YAML Example Configuration¶
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
# other required fields here
Terraform¶
Ensure that the aws_security_group associated with a load balancer does not have an
ingress
block withfrom_port
set to “0” andto_port
set to 65535.
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
from_port = 443
to_port = 443
}
# other required fields here
}
resource "aws_lb" "test" {
security_groups = [aws_security_group.example.id]
# other required fields here
}