🛡️ AWS EC2 Security Group allows unrestricted ICMP traffic🟢

• Contextual name: 🛡️ Security Group allows unrestricted ICMP traffic🟢
• ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-icmp-traffic
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Stats

not available

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EC2 Security Group
  • 🔌 AWS EC2 Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Unrestricted ICMP Access
• Internal: dec-x-42a09084

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-42a09084	1

Description

Open File

Description

Ensure that ICMP traffic (used for network diagnostics such as ping) is appropriately restricted in AWS EC2 Security Groups. Allowing unrestricted ICMP access can expose the EC2 instances to network reconnaissance or Denial of Service (DoS) attacks. Restricting ICMP access is essential for maintaining a secure environment by limiting unnecessary traffic and potential attack vectors.

Rationale

ICMP is commonly used for network diagnostics but can also be exploited by malicious actors for reconnaissance purposes, such as identifying active hosts or determining the topology of your network. By allowing unrestricted ICMP access, attackers could send large numbers of requests (ping floods) that overwhelm systems or network devices, leading to a Denial of Service (DoS) attack. Restricting ICMP helps secure the infrastructure by minimizing exposure to such attacks while ensuring that legitimate diagnostic traffic remains functional.

Impact

You might impact network diagnostics or monitoring tools that rely on ICMP, requiring careful configuration of access.

... see more

Remediation

Open File

Remediation

From Command Line

1. Run the following command to remove or modify the unrestricted rule for ICMP access:

   aws ec2 revoke-security-group-ingress \
       --region {{region-name}} \
       --group-id {{security-group-id}} \
       --protocol icmp \
       --port {{-1}} \
       --cidr {{0.0.0.0/0 or ::/0}}

   • Optionally, run the authorize-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

2. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:

   aws ec2 describe-security-groups \
       --region {{region-name}} \
       --group-ids {{security-group-id}} \
       --query 'SecurityGroups[*].IpPermissions[?IpProtocol==`icmp`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'

3. After applying these changes, monitor the network for any issues related to legitimate use of ICMP, such as network diagnostics or monitoring tools, to ensure no unintended disruptions occur.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36f network design — to ensure authorised network traffic flows and to reduce the impact of security compromises;		34	35		no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		40	42		no data
💼 Cloudaware Framework → 💼 Network Exposure			137		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	90		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	68		no data
💼 FedRAMP High Security Controls → 💼 CM-7(1) Periodic Review (M)(H)		12	12		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			68		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7(1) Periodic Review (M)(H)			12		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.1.2 Access to networks and network services		18	19		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		23	62		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		54	98		no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		22	31		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		42	68		no data
💼 PCI DSS v3.2.1 → 💼 1.1 Establish and implement firewall and router configuration standards	7	1	45		no data
💼 PCI DSS v3.2.1 → 💼 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.		1	32		no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	67		no data
💼 PCI DSS v4.0.1 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.			40		no data
💼 PCI DSS v4.0.1 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.			32		no data
💼 PCI DSS v4.0.1 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.			32		no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			67		no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67		no data
💼 PCI DSS v4.0 → 💼 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.		30	40		no data
💼 PCI DSS v4.0 → 💼 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.		20	32		no data
💼 PCI DSS v4.0 → 💼 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.		8	32		no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		9	67		no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67		no data
💼 SOC 2 → 💼 CC6.1-7 Restricts Access to Information Assets		13	27		no data
💼 SOC 2 → 💼 CC6.6-1 Restricts Access		16	19		no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		42	44		no data