📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢

• Contextual name: 📝 Security Group allows public IPv6 (::/0) access to admin ports 🟢
• ID: /ce/ca/aws/ec2/security-group-allows-public-ipv6-to-admin-ports
• Located in: 📁 AWS EC2

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Internal
  • dec-x-bcae85fb

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-bcae85fb	2

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 AWS EC2 Security Group
  • 🔌 AWS EC2 Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.

Rationale

Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.

Impact

When updating an existing environment, ensure that administrators have access to remote server administration ports through another mechanism before removing access by deleting the ::/0 inbound rule.

Audit

Perform the following to determine if the account is configured as prescribed:

1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
2. In the left pane, click Security Groups.
3. For each security group, perform the following:
   • Select the security group.
   • Click the Inbound Rules tab.
   • Ensure no rule exists that has a port range that includes port 22, 3389, or other remote server administration ports for your environment and has a Source of ::/0.

... see more

Remediation

Open File

Remediation

From AWS CLI

Inline JSON example

aws ec2 revoke-security-group-ingress \
    --group-id {{sg-id}} \
    --ip-permissions '[{"IpProtocol": "{{tcp}}","FromPort": {{22}},"ToPort": {{22}},"Ipv6Ranges": [{ "CidrIpv6": "::/0" }]}]'

Using a file

Extract the existing rule to a file:

aws ec2 describe-security-groups \
    --group-id {{sg-id}} \
    --query "SecurityGroups[0].IpPermissions[?Ipv6Ranges[?CidrIpv6=='::/0']]" \
    --output json > {{revoke-rule}}.json

Revoke it by referencing the file:

aws ec2 revoke-security-group-ingress \
    --group-id {{sg-id}} \
    --ip-permissions file://{{revoke-rule}}.json

Note: You must revoke the entire rule as it was originally defined — that is, exact protocol, full port range, and CIDR block — and if needed, recreate any safe sub-rules after that.

From Console

Perform the following to implement the prescribed state:

1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
2. In the left pane, click Security Groups.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		29	30
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk			10
💼 CIS AWS v1.5.0 → 💼 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports - Level 1 (Automated)		1	1
💼 CIS AWS v2.0.0 → 💼 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports - Level 1 (Automated)		1	1
💼 CIS AWS v3.0.0 → 💼 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports - Level 1 (Automated)		1	1
💼 CIS AWS v4.0.0 → 💼 5.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports (Automated)			1
💼 CIS AWS v4.0.1 → 💼 5.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports (Automated)			1
💼 CIS AWS v5.0.0 → 💼 5.4 Ensure no security groups allow ingress from ::/0 to remote server administration ports (Automated)			1
💼 Cloudaware Framework → 💼 Public and Anonymous Access			77
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	64
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	36	75
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	42
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	24
💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			14
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33
💼 FedRAMP High Security Controls → 💼 CM-7(1) Periodic Review (M)(H)		12	12
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	45
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			25
💼 FedRAMP High Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			18
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			19
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			23
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			30
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			64
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		60
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			42
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		24
💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			14
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33
💼 FedRAMP Moderate Security Controls → 💼 CM-7(1) Periodic Review (M)(H)			12
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		39
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			25
💼 FedRAMP Moderate Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			18
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		17	18
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	41
💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed		18	23
💼 NIST CSF v1.1 → 💼 DE.DP-5: Detection processes are continuously improved		13	15
💼 NIST CSF v1.1 → 💼 ID.AM-1: Physical devices and systems within the organization are inventoried			3
💼 NIST CSF v1.1 → 💼 ID.AM-2: Software platforms and applications within the organization are inventoried		5	7
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	52
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	22
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition			7
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	66
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26
💼 NIST CSF v1.1 → 💼 PR.IP-7: Protection processes are improved			2
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	22
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			115
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			81
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			31
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			134
💼 NIST CSF v2.0 → 💼 ID.AM-01: Inventories of hardware managed by the organization are maintained			4
💼 NIST CSF v2.0 → 💼 ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained			9
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			45
💼 NIST CSF v2.0 → 💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles			21
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			34
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			88
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			22
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			114
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			94
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			108
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			66
💼 NIST SP 800-53 Revision 4 → 💼 CM-7 (1) PERIODIC REVIEW		3	4
💼 NIST SP 800-53 Revision 4 → 💼 CM-7 LEAST FUNCTIONALITY	5	6	7
💼 NIST SP 800-53 Revision 4 → 💼 CM-8 INFORMATION SYSTEM COMPONENT INVENTORY	9	1	2
💼 NIST SP 800-53 Revision 4 → 💼 PL-2 SYSTEM SECURITY PLAN	3	1	2
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	10
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	68	85
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	42
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			20
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		23
💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			14
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	47
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			25
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception		4	18
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			19
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			20
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			19
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	38
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	27
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			34
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			27
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			27
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		24	34
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		15	27
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		6	27
💼 SOC 2 → 💼 CC6.1-3 Restricts Logical Access		1	21
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	26
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38