Amazon_EC2_63

Ensure no EC2 instance allows incoming traffic from 0.0.0.0/0 to known TCP port

Description

In order to implement the principle of least privilege and reduce the possibility of a breach. Always make sure EC2 instances are not exposed incoming traffic from 0.0.0.0/0 to known TCP ports

Remediation

From Portal:
1. Sign in to the AWS Management Console, and Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/ .
2. In the navigation pane, choose Instances.
3. Select your instance and, in bottom half of the screen, choose the Security tab.
4. Security groups lists the security groups that are associated with the instance. Inbound rules displays a list of the inbound rules that are in effect for the instance.
5. Identify the security group with the scope 0.0.0.0/0 and a Known TCP port from the list in GSL.
6. On the Edit inbound rules page, modify the traffic source that allow traffic from 0.0.0.0/0 to one of the port from the list.
7. Select My IP from the Source dropdown list to allow inbound traffic only from your machine or Select Custom from the Source dropdown list and enter appropriate range of IPs.
8. Click Save to apply the changes.

From Command Line:
1. Identify the security group associated with the instance.Remove the rule which has ingress is 0.0.0.0/0 to one of the from the GSL list.
aws ec2 revoke-security-group-ingress –region REGION –group-name GROUP_NAME –protocol tcp –port PORT_NUMBER –cidr 0.0.0.0/0
2. Now add the inbound rules with different parameters, Modify the CIDR_BLOCK to appropriate range in order to restrict access from 0.0.0/0 to one of the port from the list.
aws ec2 authorize-security-group-ingress –region REGION –group-name GROUP_NAME –protocol PROTOCOL –port PORT –cidr CIDR_BLOCK

From CFT:
Use the link to the Cloudformation resource from the references.

From TF:
Use the link to the terraform resource from the references.

References:
1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html#
3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html
4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
5. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html

Service

EC2

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!