VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)

Description

VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP). Removing unfettered connectivity to LDAP reduces the chance of exposing critical data.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left pane, click Security Groups.

  • For each security group, perform the following:

    • Select the security group.

    • Click the Inbound Rules tab.

    • Identify the rules to be removed.

    • Click the x in the Remove column.

    • Click Save.

AWS CLI

  • Remove the inbound rule(s) that permits unrestricted ingress to TCP port 389 from the selected security group:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 389 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected security group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 389 --cidr <cidr_block>

Terraform

  • Ensure that every aws_security_group ingress block associated with an EC2 instance does NOT contain the following:

    • A 0.0.0.0/0 in the cidr_blocks field

    • 389 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_instance" "example" {
  vpc_security_group_ids  = [aws_security_group_example.id] # For EC2 instance in non-default VPC
  security_groups         = [aws_security_group_example.id] # For EC2 instance in default VPC
  # other required fields here
}

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 300
    to_port     = 400
    # other required fields here
  }
}