Control: 4.4 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
Description
Security groups provide filtering of ingress/egress network traffic to Aliyun resources. It is recommended that no security group allows unrestricted ingress access to port 3389.
Remediation
- Logon to ECS Console.
- In the left pane, click to expand
Network and Security, clickSecurity Groups.
For each security group, perform the following:
- Select the
security group. - Click
Add Rules. - Click the
Inboundtab. - Identify the rules
to be removed. - Click
Deletein the Remove column. - Click
OK.
Default Value:
By default, Authorization Object and port range are not set.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v200_4_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v200_4_4 --shareSQL
This control uses a named query:
with bad_groups as ( select distinct arn from alicloud_ecs_security_group, jsonb_array_elements(permissions) as p where p ->> 'Policy' = 'Accept' and p ->> 'Direction' = 'ingress' and p ->> 'SourceCidrIp' = '0.0.0.0/0' and ( p ->> 'PortRange' in ('-1/-1', '3389/3389') or (3389 between split_part(p ->> 'PortRange', '/', 1) :: int and split_part(p ->> 'PortRange', '/', 2) :: int) ))select a.arn as resource, case when b.arn is null then 'ok' else 'alarm' end as status, case when b.arn is null then a.security_group_id || ' does not allow ingress from 0.0.0.0/0 to port 3389.' else a.security_group_id || ' allow ingress from 0.0.0.0/0 to port 3389.' end as reason , a.account_id as account_id, a.region as regionfrom alicloud_ecs_security_group as aleft join bad_groups as b on a.arn = b.arn;