Skip to main content

πŸ“ AWS EC2 Security Group allows unrestricted Telnet traffic 🟒

  • Contextual name: πŸ“ Security Group allows unrestricted Telnet traffic 🟒
  • ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-telnet-traffic
  • Located in: πŸ“ AWS EC2

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Verify that Telnet traffic to AWS EC2 instances is restricted. The Telnet protocol, operating on port 23, should not be open to all IP ranges (0.0.0.0/0) due to its lack of encryption and inherent security vulnerabilities.

Rational​

Telnet transmits data, including credentials, in plaintext, making it highly susceptible to interception and exploitation by malicious actors. Allowing unrestricted Telnet access exposes instances to potential unauthorized access, data compromise, and increased vulnerability to man-in-the-middle attacks. By restricting Telnet traffic to trusted sources, you mitigate these risks and improve the overall security posture of your AWS environment. It's also encouraged to adopt secure alternatives, such as SSH, which provide encrypted communication.

Impact​

Requires configuration adjustments to ensure legitimate traffic is not disrupted.

Audit​

This policy marks an EC2 Security Group as INCOMPLIANT if it contains a rule that meets all the following conditions:

  • The Direction is set to Inbound.

... see more

Remediation​

Open File

Remediation​

From Command Line​

  1. Run the following command to remove or modify the unrestricted rule for Telnet access:
aws ec2 revoke-security-group-ingress \
--region {{region-name}} \
--group-id {{security-group-id}} \
--protocol {{protocol}} \
--port 23 \
--cidr {{0.0.0.0/0 or ::/0}}

  • Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

  1. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:
aws ec2 describe-security-groups \
--region {{region-name}} \
--group-ids {{security-group-id}} \
--query 'SecurityGroups[*].IpPermissions[?FromPort==`23`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'
  1. Conduct tests to verify functionality of applications dependent on Telnet to ensure they are unaffected by the changes.
  2. Where possible, migrate services using Telnet to secure alternatives like SSH. Update configurations to use SSH and disable Telnet services.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [EC2.19] Security groups should not allow unrestricted access to ports with high risk10
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Threat Protection25
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23165
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1139
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)3114
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31821
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10633
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(21) Isolation of System Components (H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)13
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)18
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)151
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)39
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2 Baseline Configuration (L)(M)(H)314
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-2(2) Automation Support for Accuracy and Currency (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)321
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)729
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)17
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(5) Deny by Default β€” Allow by Exception (M)(H)19
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage40
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326173
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3539
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks15
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2 Baseline Configuration713
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency13
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-7 Least Functionality911
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7 Boundary Protection29533
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(5) Boundary Protection _ Deny by Default β€” Allow by Exception519
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic15
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components16
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(21) Boundary Protection _ Isolation of System Components16