VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)¶
Description¶
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces the chance of exposing critical data.
Console Remediation Steps¶
Navigate to VPC.
In the left pane, click Security Groups.
For each security group, perform the following:
Select the security group.
Click the Inbound Rules tab.
Identify the rules to be removed.
Click the x in the Remove column.
Click Save.
CLI Remediation Steps for TCP¶
Remove the inbound rule(s) that permits unrestricted ingress to TCP port 4505 from the selected Security Group:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 4505 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 4505 --cidr <cidr_block>
CLI Remediation Steps for UDP¶
Remove the inbound rule(s) that permits unrestricted ingress to UDP port 4505 from the selected Security Group:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol udp --port 4505 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol udp --port 4505 --cidr <cidr_block>