v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 3.3 Disable SSH and RDP ports for Lightsail instances when not needed

Description

Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should remove and disable these ports when not is use.

Any ports enable within Lightsail by default are open and exposed to the world. This can result in outside traffic trying to access or even deny access to the Lightsail instances. Removing and disabling a protocol when not in use even if restricted by IP address is the safest solution especially when it is not required for access.

Remediation

From the Console:

  1. Login to AWS Console using https://console.aws.amazon.com.
  2. Click All services, click Lightsail under Compute.
  3. This will open up the Lightsail console.
  4. Select the Windows or Linux Instance you want to review.
  5. Go to the Networking section.
  6. If it is a Windows instance confirm that SSH has been removed. If it is a Linux instance confirm RDP has been removed.
  7. If either ssh(Port 22) is in the Windows system and RDP(Port 3389) is in the Linux system click the bucket icon to delete it.
  8. If the server needs HTTP, TCP Port 80 confirm that the application forwards Port 80 to HTTPS, TCP Port 443.
  9. If the server does not need HTTP click the bucket icon to delete it.
  10. Confirm that there are no other unused or unneeded ports.
  11. If the system has other ports that are not required or in use click the bucket icon to delete it.

From the Command Line:

  1. Run aws lightsail close-instance-public-ports

For Windows:

aws lightsail close-instance-public-ports --instance-name
<Windows_Instance_Name> --port-info fromPort=22,protocol=TCP,toPort=22

For Linux:

aws lightsail close-instance-public-ports --instance-name
<Linux_Instance_Name> --port-info fromPort=3389,protocol=TCP,toPort=3389

For HTTP:

aws lightsail close-instance-public-ports --instance-name <ANY_Instance_Name>
--port-info fromPort=80,protocol=TCP,toPort=80
  1. Repeat for all instance names identified in the audit that have SSH, RDP or HTTP's open and are not required based on the OS or the use of the system.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_3_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_3_3 --share

SQL

This control uses a named query:

lightsail_instance_ssh_rdp_http_ports_disabled

Tags

category = Compliance
cis = true
cis_item_id = 3.3
cis_level = 1
cis_section_id = 3
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Lightsail