VPC security group inbound rules should not permit ingress from any address to all ports and protocols¶
Description¶
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security groups explicitly allow inbound ports.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation, select Security Groups.
For each security group, perform the steps described below.
Select the Security Group, click the Inbound Rules tab, and click Edit rules.
Remove any rules that permit ingress from any address to all ports and protocols.
Click Save.
AWS CLI¶
Remove all ingress rules which allow connectivity from a CIDR block to all ports and protocols:
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=tcp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=65535'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=0,IpProtocol=udp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=65535'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmp,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=icmpv6,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'
aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions 'FromPort=-1,IpProtocol=-1,IpRanges=[{CidrIp=<cidr>}],Ipv6Ranges=[{CidrIpv6=<v6-cidr>}],ToPort=-1'
Terraform¶
Ensure that the aws_security_group
ingress
block does NOT contain either of the following invalid port ranges for any CIDR block:from_port
andto_port
are both set to0
from_port
is set to0
andto_port
is set to65535
Example Configuration¶
resource "aws_security_group" "inbound-all-private" {
name = "inbound-all-private"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["192.168.0.0/24"]
}
}