AWS Workspaces

Workspaces IP Access Control Too Open

This plugin offers enhanced workspace IP Access Control to verify the existence of IP workspace access control and to ensure that workplaces are not opened.

Risk Level: HIGH

Description: 

This plugin offers enhanced workspace IP Access Control to verify the existence of IP workspace access control and to ensure that workplaces are not opened.

SentinelOne CNS strongly recommends enabling proper IP Access Controls for all workspaces.

About the Service :

Amazon WorkSpaces allows you to provide your users, known as WorkSpaces, with virtual, cloud-based Microsoft Windows or Amazon Linux desktops. WorkSpaces does not need hardware or complicated software to be procured and deployed. When your needs change, you may rapidly add or delete users. Users can use different devices and web browsers to access their virtual desktops.

Impact : 

The absence of this plugin can lead to vulnerabilities by making the workspace accessible to the public which will hinder the security of the organization.

Steps to reproduce :

  1. Log In to AWS Console.
  2. Navigate to the Workspaces dashboard. (https://console.aws.amazon.com/workspaces/ )
  3. Then navigate to “Directories” under Workspaces in the left navigation panel.
  4. Select the directory and then click on the “Actions” button.
  5. Next, click on “Update Details” in the dropdown that appears.
  6. The Update Directory Details tab appears. Navigate to the “IP Access Control  Groups” and look for the group to examine.
  7. We can observe that the group name is “pingsafe-test”. We now navigate to the IP Access Control tab under Workspaces in the left navigation pane.
  8. Then, we select the group and view the Source section under “pingsafe-test-Rules”.
  9. We can clearly observe that the Source has the IP 0.0.0.0/0 which means it is publically accessible.
  10. Repeat the steps for other workspaces.

Steps for remediation :

  1. Log In to AWS Console.
  2. Navigate to the Workspaces dashboard. (https://console.aws.amazon.com/workspaces/ )
  3. Then navigate to “Directories” under Workspaces in the left navigation panel.
  4. Select the directory and then click on the “Actions” button.
  5. Next, click on “Update Details” in the dropdown that appears.
  6. The Update Directory Details tab appears. Navigate to the “IP Access Control  Groups” and look for the group to examine.
  7. We can observe that the group name is “pingsafe-test”. We now navigate to the IP Access Control tab under Workspaces in the left navigation pane.
  8. Then, we select the group and view the Source section under “pingsafe-test-Rules”.
  9. We can clearly observe that the Source has the IP 0.0.0.0/0 which means it is publically accessible.
  10. Click on “Edit” and change the source IP to another IP and hit “Save”.
     
  11. Repeat the steps for other workspaces.

References: