Amazon EC2

Unrestricted public access in security groups

Ensure there are no unsecured inbound rules of the security group attached to an EC2 instance

Risk Level: High

Description

This plugin checks security groups for inbound rules that allow unrestricted access to a resource. Unrestricted access implies that resources in these security groups can be accessed by any device. There is no restriction on the IP addresses that can access the instance with the specified protocol. It increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). 

In order to minimize false positives, this plugin reports only those security groups which have public IP associated with any of its network interfaces.

About the Service

Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. With the EC2 instance, you can launch as many virtual servers as you need, configure security and networking, and manage storage without worrying about the hardware needs of the process. Security Groups act as a firewall for an EC2 instance to control the incoming and outgoing traffic. You can read more about security groups here.

Impact

Security Groups act as a firewall for the EC2 instances to control the incoming and outgoing traffic. There are rules defined under security groups that can allow certain IP addresses to access the EC2 instance with the protocol and the Ports specified. If a large range of IP addresses is allowed, an attacker can scan the ports and exploit the vulnerabilities of hosted applications without easy traceability.

Compliances Covered

PCI: PCI has explicit requirements around firewalled access to systems. To fulfill the requirements of PCI standards, unauthorized access must not be allowed.

HIPAA: HIPAA requires strict access controls to networks and services processing sensitive data. Security groups are the built-in method for restricting access to AWS services and should be configured to allow least-privilege access.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Security Group in the Network and Security section from the left navigation pane.
  4. You will find a list of Security Groups available, select the one you want to examine by clicking on its Security group ID.
  5. The Inbound rules tab will be selected along with a list of rules for the security group. Investigate the Source column, and find the rules that have the source set to Anywhere (0.0.0.0/0 or ::/0). It implies that the instances and resources attached to the security group can accept public requests through the mentioned Protocol.
  6. Repeat steps 4 to 5 for all the Security Groups you want to investigate.

Steps for Remediation

Modify the security group to specify a specific port and protocol to allow. Or restrict access to only those IP addresses that require it.

  1. Log In to your AWS Console.
  2. Open the EC2 Management Console. You can use this link (https://console.aws.amazon.com/ec2) to navigate directly if already logged in. 
  3. Move to the Security Group in the Network and Security section from the left navigation pane.
  4. You will find a list of Security Groups available, select the Security group ID of the Security Group which has public access.
  5. The Inbound rules tab will be selected along with a list of rules for the security group. Click on the Edit Inbound Rules button on the right.

  6. From the list of rules, click on the close button beside the (0.0.0.0/0 or ::/0) in the Source column. It will clear all the IP addresses allowed to access the instance. From the Source drop-down menu, select Custom and enter all the IP addresses you want to give access to following the specified protocol. To allow only your IP to access the instance, select the My IP option. You can read more about all the options available here.
  7. Click on Preview Changes to preview the changes, and Save rules to save them.
  8. Repeat steps 4 to 7 for all the Security Groups you want to fix.