π AWS EC2 Security Group allows unrestricted traffic to all ports π’
- Contextual name: π Security Group allows unrestricted traffic to all ports π’
- ID:
/ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-all-ports - Located in: π AWS EC2
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Internal
dec-x-3e95721c
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-3e95721c | 1 |
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Audit and restrict AWS EC2 Security Group configurations to prevent unrestricted traffic across all ports. Security Groups allowing inbound traffic to all ports (0-65535) from unrestricted IP ranges (e.g., 0.0.0.0/0) pose a critical security risk and should be modified to permit access only to specific ports and trusted IP ranges as per application requirements.
Rationalβ
Allowing unrestricted traffic to all ports exposes instances to a broad range of potential threats, including unauthorized access, malware attacks, data exfiltration,, and exploitation of known and unknown vulnerabilities. Such configurations significantly increase the attack surface of your infrastructure, making it easier for malicious actors to compromise systems. Restricting access to specific ports and trusted IP ranges minimizes the exposure, and reduces the risk of data breaches and unauthorized activities.
Impactβ
Requires careful planning to avoid disrupting legitimate traffic or business operations.
Auditβ
This policy marks an EC2 Security Group as
INCOMPLIANTif it contains a rule that meets all the following conditions:... see more
Remediationβ
Remediationβ
From Command Lineβ
- Run the following command to remove or modify the unrestricted rule:
aws ec2 revoke-security-group-ingress \
--region {{region-name}} \
--group-id {{security-group-id}} \
--protocol {{protocol}} \
--port {{0-65535}} \
--cidr {{0.0.0.0/0 or ::/0}}
Optionally, run the
authorise-security-group-ingresscommand to create a new rule, specifying a trusted CIDR range instead of0.0.0.0/0.
- Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:
aws ec2 describe-security-groups \
--region {{region-name}} \
--group-ids {{security-group-id}} \
--query 'SecurityGroups[*].IpPermissions[?FromPort==`22`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'
- Conduct tests to verify functionality of applications to ensure they are unaffected by the changes.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Threat Protection | 25 | |||
| πΌ UK Cyber Essentials β πΌ 1.2 Prevent access to the administrative interface from the internet | 33 | 36 |