VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)¶
Description¶
VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP). Removing unfettered connectivity to LDAP reduces the chance of exposing critical data.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left pane, click Security Groups.
For each security group, perform the following:
Select the security group.
Click the Inbound Rules tab.
Identify the rules to be removed.
Click the x in the Remove column.
Click Save.
AWS CLI¶
Remove the inbound rule(s) that permits unrestricted ingress to TCP port 389 from the selected security group:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 389 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected security group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 389 --cidr <cidr_block>
Terraform¶
Ensure that every aws_security_group
ingress
block associated with an EC2 instance does NOT contain the following:A
0.0.0.0/0
in thecidr_blocks
field389
is within the port range defined fromfrom_port
toto_port
, ORfrom_port
andto_port
are both set to0
Example Configuration¶
resource "aws_instance" "example" {
vpc_security_group_ids = [aws_security_group_example.id] # For EC2 instance in non-default VPC
security_groups = [aws_security_group_example.id] # For EC2 instance in default VPC
# other required fields here
}
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 300
to_port = 400
# other required fields here
}
}