Amazon_VPC_1

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22

Description

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22 .

Remediation

From Console:
1. Sign in to the AWS Management Console.
2. Navigte to VPC dashboard at https://console.aws.amazon.com/vpc/.
3. In the left navigation, select Security Groups.
4. Now Select the Security Group that needs to be Updated and click the Inbound Rules tab, and click Edit rules.
5. Remove any rules that include port 22 and have a source of 0.0.0.0/0.
6. Click Save.

From AWS CLI:
List all security groups with an ingress rule of 0.0.0.0/0 using following command:
aws ec2 describe-security-groups –filters Name=ip-permission.cidr,Values=’0.0.0.0/0′ –query SecurityGroups[*].{Name:GroupName,ID:GroupId}”
Remove the rule using following command:
aws ec2 revoke-security-group-ingress –group-id –protocol –port 22 –cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group using following command:
aws ec2 authorize-security-group-ingress –region –group-name –protocol –port 22 –cidr

References:
1. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html#AddRemoveRules
2. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html#updating-security-group-rules
3. https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html
4. https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html

Service

VPC

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!