Skip to main content

πŸ“ AWS EC2 Security Group allows unrestricted NetBIOS traffic 🟒

  • Contextual name: πŸ“ Security Group allows unrestricted NetBIOS traffic 🟒
  • ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-netbios-traffic
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-6eab9b881

Logic​

Description​

Open File

Description​

It is recommended to evaluate and restrict the configuration of AWS EC2 security groups to prevent unrestricted NetBIOS traffic (TCP: 137, 139, UDP: 137, 138). NetBIOS is often used in legacy systems for file sharing and network management in Windows environments, but exposing these ports publicly can pose significant security risks.

Rational​

Restricting NetBIOS traffic in security groups reduces the attack surface of your EC2 instances, enhancing the overall security posture. NetBIOS is known to be vulnerable to exploitation and is rarely required in modern cloud-based applications. Addressing this configuration minimizes the risk of unauthorized access, data exfiltration, and the spread of malicious payloads.

Impact​

Restrictions could also disrupt legitimate operations for systems relying on NetBIOS for communication. Therefore, should be carefully implemented, ensuring that it does not interfere with necessary business functions.

Audit​

This policy marks an EC2 Security Group as INCOMPLIANT if it contains a rule that meets all the following conditions:

... see more

Remediation​

Open File

Remediation​

From Command Line​

  1. Run the following command to remove or modify the unrestricted rule for NetBIOS access:
aws ec2 revoke-security-group-ingress \
--region {{region-name}} \
--group-id {{security-group-id}} \
--protocol {{protocol}} \
--port {{137, 138, or 139}} \
--cidr {{0.0.0.0/0 or ::/0}}

  • Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

  1. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:
aws ec2 describe-security-groups \
--region {{region-name}} \
--group-ids {{security-group-id}} \
--query 'SecurityGroups[*].IpPermissions[?FromPort==`137`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'
  1. Confirm that application functionality is unaffected by the updated rules.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36f network design β€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection27
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1142
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7(1) Periodic Review (M)(H)1212
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)42
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7(1) Periodic Review (M)(H)12
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.1.2 Access to networks and network services1718
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1752
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties88
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3742
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1 Establish and implement firewall and router configuration standards7138
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1035
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.33
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.16
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.35
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.5 If any insecure services, protocols, or daemons are present, business justification is documented.3
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.735
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.35
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.5 If any insecure services, protocols, or daemons are present, business justification is documented.3
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1216
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-7 Restricts Access to Information Assets1326
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-1 Restricts Access1619
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3638