VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)

Description

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent). Removing unfettered connectivity to a Cassandra OpsCenter Agent reduces the chance of exposing critical data.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation pane, click Security Groups.

    • Remove any rules that include port 61621 and have a source of 0.0.0.0/0.

    • Click Save.

AWS CLI

  • List all security groups with an ingress rule of 0.0.0.0/0:

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the inbound rule(s) that permits unrestricted ingress to port 61621:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 61621 --cidr 0.0.0.0/0

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 61621 --cidr <cidr_block>

Terraform

  • Ensure that an aws_security_group ingress block does NOT contain both of the following:

    • A 0.0.0.0/0 in the cidr_blocks field

    • 61621 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 61621
    to_port     = 61621
    # other required fields here
  }
}