VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports

Description

EC2 security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Console Remediation Steps

  • Navigate to EC2.

  • In the left navigation, select Security Groups.

  • Select the desired security group and click the Inbound tab.

  • Click Edit rules.

  • Remove any permissions that allow ‘0.0.0.0/0’ to all ports.

CLI Remediation Steps

  • Remove ingress rules which allow connectivity from anywhere to all ports and protocols:

    • aws ec2 revoke-security-group-ingress –group-id :raw-html-m2r:`<id> –ip-permissions