VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)

Description

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd). Removing unfettered connectivity to an etcd server reduces the chance of exposing critical data.

Remediation Steps

AWS Console

• Navigate to VPC.

• In the left navigation pane, click Security Groups.

  • Remove any rules that include port 2379 and have a source of 0.0.0.0/0.

  • Click Save.

AWS CLI

• List all security groups with an ingress rule of 0.0.0.0/0:

  • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

• Remove the inbound rule(s) that permits unrestricted ingress to port 2379:

  • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 2379 --cidr 0.0.0.0/0

• Optionally add a more restrictive ingress rule to the selected Security Group:

  • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 2379 --cidr <cidr_block>

Terraform

• Ensure that an aws_security_group ingress block does NOT contain both of the following:

  • A 0.0.0.0/0 in the cidr_blocks field

  • 2379 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 2379
    to_port     = 2379
    # other required fields here
  }
}

Documentation Links

AWS Console and CLI

• Security Groups for your VPC: Adding, Removing, and Updating Rules

• Updating Security Group Rules

• describe-security-groups Command Line Reference

• revoke-security-group-ingress Command Line Reference

Terraform

• Resource: aws_security_group

  • Field: ingress