Remediation
From AWS CLIβ
Inline JSON exampleβ
aws ec2 revoke-security-group-ingress \
--group-id {{sg-id}} \
--ip-permissions '[{"IpProtocol": "{{tcp}}","FromPort": {{22}},"ToPort": {{22}},"Ipv6Ranges": [{ "CidrIpv6": "::/0" }]}]'
Using a fileβ
Extract the existing rule to a file:
aws ec2 describe-security-groups \
--group-id {{sg-id}} \
--query "SecurityGroups[0].IpPermissions[?Ipv6Ranges[?CidrIpv6=='::/0']]" \
--output json > {{revoke-rule}}.json
Revoke it by referencing the file:
aws ec2 revoke-security-group-ingress \
--group-id {{sg-id}} \
--ip-permissions file://{{revoke-rule}}.json
Note: You must revoke the entire rule as it was originally defined β that is, exact protocol, full port range, and CIDR block β and if needed, recreate any safe sub-rules after that.
From Consoleβ
Perform the following to implement the prescribed state:
-
Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home.
-
In the left pane, click
Security Groups. -
For each security group, perform the following:
-
Select the security group.
-
Click the
Inbound Rulestab. -
Click the
Edit inbound rulesbutton. -
Identify the rules to be edited or removed.
-
Either:
- A. update the Source field to a range other than ::/0, or,
- B. Click
Deleteto remove the offending inbound rule.
-
Click
Save rules.
-