Skip to main content

๐Ÿ›ก๏ธ AWS EC2 Security Group allows unrestricted CIFS traffic๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Security Group allows unrestricted CIFS traffic๐ŸŸข
  • ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-cifs-traffic
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-14bf01f31

Descriptionโ€‹

Open File

Descriptionโ€‹

Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches.

Rationaleโ€‹

Allowing unrestricted CIFS access can lead to significant security vulnerabilities, as it may allow unauthorized users to access sensitive files and data. By restricting CIFS access to known and trusted networks, you can minimize the risk of unauthorized access and protect sensitive data from exposure to potential attackers. Implementing proper network access controls and permissions is essential for maintaining the security and integrity of your file-sharing systems.

Impactโ€‹

Restricting CIFS access may require additional configuration and management effort. However, the benefits of enhanced security and reduced risk of unauthorized access to

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Command Lineโ€‹

  1. Run the following command to remove or modify the unrestricted rule for CIFS access:
aws ec2 revoke-security-group-ingress \
--region {{region-name}} \
--group-id {{security-group-id}} \
--protocol {{protocol}} \
--port 445 \
--cidr {{0.0.0.0/0 or ::/0}}

  • Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0 or ::/0.

  1. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:
aws ec2 describe-security-groups \
--region {{region-name}} \
--group-ids {{security-group-id}} \
--query 'SecurityGroups[*].IpPermissions[?FromPort==`445`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'
  1. Ensure that services relying on CIFS/SMB functionality operate correctly with the updated security group rules.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36d access management controls โ€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1414no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36e hardware and software asset controls โ€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36f network design โ€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537no data
๐Ÿ’ผ AWS Foundational Security Best Practices v1.0.0 โ†’ ๐Ÿ’ผ [EC2.19] Security groups should not allow unrestricted access to ports with high risk10no data
๐Ÿ’ผ CIS AWS v4.0.0 โ†’ ๐Ÿ’ผ 5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access (Manual)1no data
๐Ÿ’ผ CIS AWS v4.0.1 โ†’ ๐Ÿ’ผ 5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access (Manual)1no data
๐Ÿ’ผ CIS AWS v5.0.0 โ†’ ๐Ÿ’ผ 5.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access (Automated)1no data
๐Ÿ’ผ CIS AWS v6.0.0 โ†’ ๐Ÿ’ผ 6.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Threat Protection48no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)237101no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1160no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration (L)(M)(H)3137no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-2(2) Automation Support for Accuracy and Currency (M)(H)18no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)31833no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)10879no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)46no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)19no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SC-7(21) Isolation of System Components (H)35no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration (L)(M)(H)36no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)29no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)47no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement (M)(H)185no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)60no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration (L)(M)(H)337no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-2(2) Automation Support for Accuracy and Currency (M)(H)18no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ CM-7 Least Functionality (L)(M)(H)333no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7 Boundary Protection (L)(M)(H)765no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(4) External Telecommunications Services (M)(H)46no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SC-7(5) Deny by Default โ€” Allow by Exception (M)(H)19no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.4.1 Information access restriction1920no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained86no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties131no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected180no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected156no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected176no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage119no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4 Information Flow Enforcement3269116no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3760no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CA-9(1) Internal System Connections _ Compliance Checks43no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-2 Baseline Configuration736no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency18no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ CM-7 Least Functionality923no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7 Boundary Protection29486no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(4) Boundary Protection _ External Telecommunications Services46no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(5) Boundary Protection _ Deny by Default โ€” Allow by Exception419no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic35no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(16) Boundary Protection _ Prevent Discovery of System Components36no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SC-7(21) Boundary Protection _ Isolation of System Components35no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1 Establish and implement firewall and router configuration standards7139no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1063no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7841no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.627no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.27no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.5 Permit only โ€œestablishedโ€ connections into the network.27no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 2.2.4 Configure system security parameters to prevent misuse.16no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.63no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.63no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 2.2.6 System security parameters are configured to prevent misuse.16no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.763no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.63no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.719no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.727no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 2.2.6 System security parameters are configured to prevent misuse.1216no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet3638no data