Skip to main content

πŸ“ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒

  • Contextual name: πŸ“ Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒
  • ID: /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-bcae85fb

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-bcae85fb2

Logic​

Description​

Open File

Description​

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols

Rationale​

Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Impact​

When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the 0.0.0.0/0 inbound rule.

Audit​

Perform the following to determine if the account is configured as prescribed:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
  2. In the left pane, click Security Groups.
  3. For each security group, perform the following:
    • Select the security group.
    • Click the Inbound Rules tab.

... see more

Remediation​

Open File

Remediation​

Perform the following to implement the prescribed state:

  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
  2. In the left pane, click Security Groups.
  3. For each security group, perform the following:
    • Select the security group.
    • Click the Inbound Rules tab.
    • Click the Edit inbound rules button.
    • Identify the rules to be edited or removed.
    • Either:
      • A. update the Source field to a range other than 0.0.0.0/0, or,
      • B. Click Delete to remove the offending inbound rule.
    • Click Save rules.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2829
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3436
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.19] Security groups should not allow unrestricted access to ports with high risk10
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23165
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3114
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31821
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7(1) Periodic Review (M)(H)1111
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10633
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)13
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)18
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)151
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)314
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)321
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7(1) Periodic Review (M)(H)11
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)729
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)17
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1928
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1923
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-5: Detection processes are continuously improved1416
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-1: Physical devices and systems within the organization are inventoried2
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-2: Software platforms and applications within the organization are inventoried46
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1735
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)713
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition2
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)414
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-7: Protection processes are improved2
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2125
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected713
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events27
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-01: Inventories of hardware managed by the organization are maintained3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained7
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles3
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities24
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-7 (1) PERIODIC REVIEW34
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-7 LEAST FUNCTIONALITY545
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-8 INFORMATION SYSTEM COMPONENT INVENTORY912
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό PL-2 SYSTEM SECURITY PLAN312
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-7 BOUNDARY PROTECTION2356
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326173
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks15
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration713
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency13
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality911
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29533
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception519
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic15
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components16
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components16
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537