VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports

Description

EC2 security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Remediation Steps

AWS Console

  • Navigate to EC2.

  • In the left navigation, select Security Groups.

  • Select the desired security group and click the Inbound tab.

  • Click Edit rules.

  • Remove any permissions that allow ‘0.0.0.0/0’ to all ports.

AWS CLI

  • Remove ingress rules which allow connectivity from anywhere to all ports and protocols:

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions <ip_permissions>

Terraform

  • Ensure that every aws_security_group ingress block associated with an EC2 instance does NOT contain the following:

    • A 0.0.0.0/0 in the cidr_blocks field

    • from_port and to_port range from 0 to 65535, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_instance" "example" {
  vpc_security_group_ids  = [aws_security_group_example.id] # For EC2 instance in non-default VPC
  security_groups         = [aws_security_group_example.id] # For EC2 instance in default VPC
  # other required fields here
}

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 0
    to_port     = 65535
    # other required fields here
  }
}