ELB listener security groups should not be set to TCP all

Description

ELB security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Console Remediation Steps

  • Navigate to EC2.

  • In the left navigation, select Load Balancers.

  • Select the desired load balancer.

  • In the Description tab under Security, take note of the security groups associated with the load balancer.

  • In the left navigation, select Security Groups.

  • Search and select the security groups from the previous step.

  • Click the Inbound tab. Click Edit and remove any references to TCP all.

  • Click Save.

  • Click theOutbound tab. Click Edit and remove any references to TCP all.

  • Click Save.

CLI Remediation Steps

  • List all load balancers and their attributes:

    • aws elbv2 describe-load-balancers Make note of each Security Group ID associated with each ELB.

  • Get security group details:

    • aws ec2 describe-security-groups --group-ids <group id> In the output, if FromPort is 0 and ToPort is 65535, this means the rule Type is ALL TCP. If this is the case, run the following command to remove those rules.

  • Remove the rule that opens all tcp ports:

    • aws ec2 revoke-security-group-ingress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>

    • aws ec2 revoke-security-group-egress --protocol tcp --port 0-65535 --cidr <cidr block> --group-id <group id>