VPC security group rules should not permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443

Description

VPC firewall rules should not permit unrestricted access from the internet, with the exception of port 80 (HTTP) and port 443 (HTTPS). Web applications or APIs generally need to be publicly accessible.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation pane, click Security Groups.

    • Remove any rules that permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443.

    • Click Save.

AWS CLI

  • List all security groups with an ingress rule of 0.0.0.0/0:

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the inbound rule(s) that permits unrestricted ingress from ‘0.0.0.0/0’ except to ports 80 and 443:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port <number> --cidr 0.0.0.0/0

CloudFormation

JSON

{
  "Properties" : {
    "SecurityGroupIngress" : [
      {
        "CidrIp" : "0.0.0.0/0",
        "ToPort" : 80
      }
    ]
  }
}
JSON Example Configuration
{
  "Type" : "AWS::EC2::SecurityGroupIngress",
  "Properties" : {
    "SecurityGroupIngress" : [
      {
        "CidrIp" : "0.0.0.0/0",
        "ToPort" : 80
      }
    ]
    }
  # other required fields here
}

YAML

Properties:
  SecurityGroupIngress:
  - CidrIp: 0.0.0.0/0
    ToPort: 80
YAML Example Configuration
Type: AWS::EC2::SecurityGroupIngress
Properties:
  SecurityGroupIngress:
  - CidrIp: 0.0.0.0/0
    ToPort: 80
# other required fields here

Terraform

  • Ensure that an aws_security_group ingress block does not permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443:

Example Configuration

resource "aws_security_group" "example" {
ingress {
  cidr_blocks = [10.0.0.0/16]
  to_port     = 80
  # other required fields here
}
}