VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)

Description

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd). Removing unfettered connectivity to an etcd server reduces the chance of exposing critical data.

Console Remediation Steps

• Navigate to VPC.

• In the left pane, click Security Groups.

• For each security group, perform the following:

  • Select the security group.

  • Click the Inbound Rules tab.

  • Identify the rules to be removed.

  • Click the x in the Remove column.

  • Click Save.

CLI Remediation Steps

• Remove the inbound rule(s) that permits unrestricted ingress to TCP port 2379 from the selected security group:

  • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 2379 --cidr 0.0.0.0/0

• Optionally add a more restrictive ingress rule to the selected security group:

  • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 2379 --cidr <cidr_block>

Documentation Links

• Security Group Rules

• Revoke Security Group Ingress