Skip to main content

Remediation

From Command Line

Run the following command to remove or modify the unrestricted rule for FTP access:
```
aws ec2 revoke-security-group-ingress \
    --region {{region-name}} \
    --group-id {{security-group-id}} \
    --protocol {{protocol}} \
    --port {{20 or 21}} \
    --cidr {{0.0.0.0/0 or ::/0}}
```
- Optionally, run the authorize-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:

aws ec2 describe-security-groups \
    --region {{region-name}} \
    --group-ids {{security-group-id}} \
    --query 'SecurityGroups[*].IpPermissions[?FromPort==`20`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'

If FTP is unnecessary, consider disabling it entirely and migrating to secure file transfer protocols like SFTP or FTPS.

From Command Line