ELB listener security groups should not be set to TCP all

Description

ELB security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Remediation Steps

AWS Console

  • Navigate to EC2.

  • In the left navigation, select Load Balancers.

  • Select the desired load balancer.

  • In the Description tab under Security, take note of the security groups associated with the load balancer.

  • In the left navigation, select Security Groups.

  • Search and select the security groups from the previous step.

  • Click the Inbound tab. Click Edit and remove any references to TCP all.

  • Click Save.

  • Click the Outbound tab. Click Edit and remove any references to TCP all.

  • Click Save.

AWS CLI

  • List all load balancers and their attributes:

    • aws elb describe-load-balancers

    • Make note of each Security Group ID associated with each ELB.

  • Get security group details:

    • aws ec2 describe-security-groups --group-ids <group id>

    • In the output, if FromPort is 0 and ToPort is 65535, this means the rule Type is ALL TCP. If this is the case, run the following command to remove those rules.

  • Remove the rule that opens all tcp ports:

    • aws ec2 revoke-security-group-ingress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>

    • aws ec2 revoke-security-group-egress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>

CloudFormation

JSON

{
  "Properties" : {
      "GroupDescription" : "Allow http to client host",
      "VpcId" : {"Ref" : "myVPC"},
      "SecurityGroupIngress" : [{
        "IpProtocol" : "tcp",
        "FromPort" : 80,
        "ToPort" : 80,
        "CidrIp" : "0.0.0.0/0"
      }],
      "SecurityGroupEgress" : [{
        "IpProtocol" : "tcp",
        "FromPort" : 80,
        "ToPort" : 80,
        "CidrIp" : "0.0.0.0/0"
      }]
  }
}
JSON Example Configuration
{
  "InstanceSecurityGroup" : {
    "Type" : "AWS::EC2::SecurityGroup",
    "Properties" : {
        "GroupDescription" : "Allow http to client host",
        "VpcId" : {"Ref" : "myVPC"},
        "SecurityGroupIngress" : [{
          "IpProtocol" : "tcp",
          "FromPort" : 80,
          "ToPort" : 80,
          "CidrIp" : "0.0.0.0/0"
        }],
        "SecurityGroupEgress" : [{
          "IpProtocol" : "tcp",
          "FromPort" : 80,
          "ToPort" : 80,
          "CidrIp" : "0.0.0.0/0"
        }]
    }
  }
  # other required fields here
}

YAML

Properties:
    GroupDescription: Allow http to client host
    VpcId:
       Ref: myVPC
    SecurityGroupIngress:
    - IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0
    SecurityGroupEgress:
    - IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      CidrIp: 0.0.0.0/0
YAML Example Configuration
InstanceSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
      GroupDescription: Allow http to client host
      VpcId:
         Ref: myVPC
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
# other required fields here

Terraform

  • Ensure that the aws_security_group associated with a load balancer does not have an ingress block with from_port set to “0” and to_port set to 65535.

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    from_port = 443
    to_port = 443
  }
  # other required fields here
}

resource "aws_lb" "test" {
  security_groups = [aws_security_group.example.id]
  # other required fields here
}