Skip to main content

๐Ÿ›ก๏ธ AWS EC2 Security Group allows unrestricted traffic to Oracle DBMS๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Security Group allows unrestricted traffic to Oracle DBMS๐ŸŸข
  • ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-oracle-dbms
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-z-c82c9f971

Descriptionโ€‹

Open File

Descriptionโ€‹

Audit and modify AWS EC2 Security Groups to restrict inbound access to Oracle DBMS instances. Oracle DBMS typically runs on ports 1521, 1830, 2483 and 2484, and unrestricted access to these ports increases the risk of unauthorized access. Security Groups should be configured to allow traffic only from trusted IP addresses or internal systems to minimize exposure and safeguard sensitive data.

Rationalโ€‹

Allowing unrestricted access to Oracle DBMS increases the risk of unauthorized access, brute-force attacks, data theft, and exploitation of any vulnerabilities within Oracle. These databases are high-value targets for attackers, and exposing them to the public internet without proper controls can result in severe security incidents. By restricting access to trusted networks or IP ranges, you reduce the attack surface and improve the security posture of the Oracle database, helping to prevent unauthorized data access or modification.

Impactโ€‹

Requires careful implementation to avoid disrupting legitimate connections or business processes that require access to the database.

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Command Lineโ€‹

  1. Run the following command to remove or modify the unrestricted rule for Oracle DBMS access:
aws ec2 revoke-security-group-ingress \
--region {{region-name}} \
--group-id {{security-group-id}} \
--protocol {{protocol}} \
--port {{1521}} \
--cidr {{0.0.0.0/0 or ::/0}}

  • Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

  1. Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:
aws ec2 describe-security-groups \
--region {{region-name}} \
--group-ids {{security-group-id}} \
--query 'SecurityGroups[*].IpPermissions[?FromPort==`1521`].{CIDR:IpRanges[*].CidrIp,Port:FromPort}'
  1. Monitor Oracle DBMS access to ensure it's unaffected by the changes.

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36d access management controls โ€”only authorised users, software and hardware are able to access information assets (refer to Attachment B for further guidance);1414no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36e hardware and software asset controls โ€”appropriate authorisation to prevent security compromises from unauthorised hardware and software assets;1616no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36f network design โ€” to ensure authorised network traffic flows and to reduce the impact of security compromises;2930no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.3537no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 52d appropriate segmentation of data, based on sensitivity and access needs;1010no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 53 Wholesale access to sensitive data (e.g. contents of customer databases or intellectual property that can be exploited for personal gain) would be highly restricted to reduce the risk exposure to significant data leakage events. Industry experience of actual data leakage incidents include the unauthorised extraction of debit/credit card details, theft of personally identifiable information, loss of unencrypted backup media and the sale/trade or exploitation of customer identity data.1010no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Threat Protection36no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1152no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ AC-4(21) Physical or Logical Separation of Information Flows (M)(H)52no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.9.4.1 Information access restriction1920no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1756no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-5: Protections against data leaks are implemented4791no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.PT-4: Communications and control networks are protected1044no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events150no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties120no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected164no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected140no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected156no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.IR-01: Networks and environments are protected from unauthorized logical access and usage103no data
๐Ÿ’ผ NIST SP 800-53 Revision 4 โ†’ ๐Ÿ’ผ SC-7 BOUNDARY PROTECTION23531no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3752no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1 Establish and implement firewall and router configuration standards7139no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1060no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.7836no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.624no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.24no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 1.3.5 Permit only โ€œestablishedโ€ connections into the network.24no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.34no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.60no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.60no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.24no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.2434no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.1 Inbound traffic to the CDE is restricted.760no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.3.2 Outbound traffic from the CDE is restricted.60no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.1 NSCs are implemented between trusted and untrusted networks.719no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.724no data
๐Ÿ’ผ UK Cyber Essentials โ†’ ๐Ÿ’ผ 1.2 Prevent access to the administrative interface from the internet3638no data