Control: 3.4 Ensure SSH is restricted to only IP address that should have this access
Description
Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access.
Any ports enable within Lightsail by default are open and exposed to the world. This can result in outside traffic trying to access or even deny access to the Lightsail instances. Removing and adding approved IP address required for access.
Remediation
From the Console:
- Login to AWS Console using https://console.aws.amazon.com.
- Click
All services
, clickLightsail
under Compute. - This will open up the Lightsail console.
- Select the
Linux Instance
you want to review. - Go to the Networking section.
- Under IPv4 networking find the SSH rule as shown below.
Application Protocol Port or range / Code Restricted toSSH TCP 22 Any IPv4 address
- Click on the edit icon.
- Click on the check box next to Restrict to IP address.
- Under
Source IP address (192.0.2.0) or range (192.0.2.0-192.0.2.255 or 192.0.2.0/24)
type the IP address' you want.
From the Command Line:
- Run
aws lightsail put-ins
aws lightsail put-instance-public-ports --instance-name <instance_name> --port-infofromPort=22,protocol=TCP,toPort=22,cidrs=110.111.221.100/32,110.111.221.202/32
This command will enter the IP addresses that should have access to the instances identified above in the Audit.
- Run
aws lightsail get-instance-port-states
for the Linux instance to confirm the new setting.
aws lightsail get-instance-port-states --instance-name <instance_name>
This command will provide a list of available Ports and show how the cidr value for Port 22 is now set.
{ "fromPort": 22, "toPort": 22, "protocol": "tcp", "state": "open", "cidrs": [ "110.111.221.100/32", "110.111.221.202/32" ], "cidrListAliases": []},
- Repeat the remediation below for all other instances identified in the Audit.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_3_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_3_4 --share
SQL
This control uses a named query:
lightsail_instance_ssh_restricted_ip