🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢

• Contextual name: 🛡️ Security Group allows unrestricted Telnet traffic🟢
• ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-telnet-traffic
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS EC2 Security Group
  • 🔌 AWS EC2 Security Group Rule - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Unrestricted Telnet Access

Description

Open File

Description

Verify that Telnet traffic to AWS EC2 instances is restricted. The Telnet protocol, operating on port 23, should not be open to all IP ranges (0.0.0.0/0) due to its lack of encryption and inherent security vulnerabilities.

Rationale

Telnet transmits data, including credentials, in plaintext, making it highly susceptible to interception and exploitation by malicious actors. Allowing unrestricted Telnet access exposes instances to potential unauthorized access, data compromise, and increased vulnerability to man-in-the-middle attacks. By restricting Telnet traffic to trusted sources, you mitigate these risks and improve the overall security posture of your AWS environment. It's also encouraged to adopt secure alternatives, such as SSH, which provide encrypted communication.

Impact

Requires configuration adjustments to ensure legitimate traffic is not disrupted.

Audit

This policy marks an EC2 Security Group as INCOMPLIANT if it contains a rule that meets all the following conditions:

• The Direction is set to Inbound.

... see more

Remediation

Open File

Remediation

From Command Line

1. Run the following command to remove or modify the unrestricted rule for Telnet access:

   aws ec2 revoke-security-group-ingress \
       --region {{region-name}} \
       --group-id {{security-group-id}} \
       --protocol {{protocol}} \
       --port 23 \
       --cidr {{0.0.0.0/0 or ::/0}}

   • Optionally, run the authorize-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

2. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:

   aws ec2 describe-security-groups \
       --region {{region-name}} \
       --group-ids {{security-group-id}} \
       --query 'SecurityGroups[*].IpPermissions[?FromPort==`23`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'

3. Conduct tests to verify functionality of applications dependent on Telnet to ensure they are unaffected by the changes.

4. Where possible, migrate services using Telnet to secure alternatives like SSH. Update configurations to use SSH and disable Telnet services.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [EC2.19] Security groups should not allow unrestricted access to ports with high risk			10		no data
💼 Cloudaware Framework → 💼 Network Exposure			132		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105		no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	63		no data
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	47		no data
💼 FedRAMP High Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22		no data
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP High Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			19		no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37		no data
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			45		no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			63		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		47		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			22		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(5) Deny by Default — Allow by Exception (M)(H)			19		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	63		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-9(1) Internal System Connections _ Compliance Checks			54		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		46		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency			22		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-7 Least Functionality	9		23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	93		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception		4	19		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37		no data