VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)¶
Description¶
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent). Removing unfettered connectivity to a Cassandra OpsCenter Agent reduces the chance of exposing critical data.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation pane, click Security Groups.
Remove any rules that include port 61621 and have a source of 0.0.0.0/0.
Click Save.
AWS CLI¶
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the inbound rule(s) that permits unrestricted ingress to port 61621:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 61621 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 61621 --cidr <cidr_block>
Terraform¶
Ensure that an aws_security_group
ingress
block does NOT contain both of the following:A
0.0.0.0/0
in thecidr_blocks
field61621
is within the port range defined fromfrom_port
toto_port
, ORfrom_port
andto_port
are both set to0
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 61621
to_port = 61621
# other required fields here
}
}