VPC security group rules within private VPCs should not permit ingress from 0.0.0.0/0 to all ports and protocols

Description

Security groups within private VPCs should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Console Remediation Steps

  • Navigate to VPC.

  • In the left navigation, select Security Groups.

  • Select the desired security group and click the Inbound tab.

  • Click Edit rules.

  • Remove any permissions that allow ‘0.0.0.0/0’ to all ports/protocols.

CLI Remediation Steps

  • Remove ingress rules which allow connectivity from anywhere to all ports and protocols:

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions