VPC security group rules should not permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443¶
Description¶
VPC firewall rules should not permit unrestricted access from the internet, with the exception of port 80 (HTTP) and port 443 (HTTPS). Web applications or APIs generally need to be publicly accessible.
Remediation Steps¶
AWS Console¶
Navigate to VPC.
In the left navigation pane, click Security Groups.
Remove any rules that permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443.
Click Save.
AWS CLI¶
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the inbound rule(s) that permits unrestricted ingress from ‘0.0.0.0/0’ except to ports 80 and 443:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port <number> --cidr 0.0.0.0/0
CloudFormation¶
JSON¶
Ensure that AWS::EC2::SecurityGroup do not permit ingress from
0.0.0.0/0
except toport 80
andport 443
:
{
"Properties" : {
"SecurityGroupIngress" : [
{
"CidrIp" : "0.0.0.0/0",
"ToPort" : 80
}
]
}
}
JSON Example Configuration¶
{
"Type" : "AWS::EC2::SecurityGroupIngress",
"Properties" : {
"SecurityGroupIngress" : [
{
"CidrIp" : "0.0.0.0/0",
"ToPort" : 80
}
]
}
# other required fields here
}
YAML¶
Ensure that AWS::EC2::SecurityGroup do not permit ingress from
0.0.0.0/0
except toport 80
andport 443
:
Properties:
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
ToPort: 80
YAML Example Configuration¶
Type: AWS::EC2::SecurityGroupIngress
Properties:
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
ToPort: 80
# other required fields here
Terraform¶
Ensure that an aws_security_group
ingress
block does not permit ingress from ‘0.0.0.0/0’ except to ports 80 and 443:
Example Configuration¶
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
to_port = 80
# other required fields here
}
}