Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 3.5 Ensure RDP is restricted to only IP address that should have this access

Description

Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access.

Any ports enable within Lightsail by default are open and exposed to the world. This can result in outside traffic trying to access or even deny access to the Lightsail instances. Removing and adding approved IP address required for access.

Remediation

From the Console:

  1. Login to AWS Console using https://console.aws.amazon.com.
  2. Click All services, click Lightsail under Compute.
  3. This will open up the Lightsail console.
  4. Select the Windows Instance you want to review.
  5. Go to the Networking section.
  6. Under IPv4 networking find the SSH rule as shown below.
Application Protocol Port or range / Code Restricted to
RDP TCP 3389 Any IPv4 address
  1. Click on the edit icon.
  2. Click on the check box next to Restrict to IP address.
  3. Under Source IP address (192.0.2.0) or range (192.0.2.0-192.0.2.255 or 192.0.2.0/24) type the IP address' you want.

From the Command Line:

  1. Run aws lightsail put-ins
aws lightsail put-instance-public-ports --instance-name <instance_name> --port-info
fromPort=3389,protocol=TCP,toPort=3389,cidrs=110.111.221.100/32,110.111.221.202/32

This command will enter the IP addresses that should have access to the instances identified above in the Audit.

  1. Run aws lightsail get-instance-port-states for the Windows instance to confirm the new setting.
aws lightsail get-instance-port-states --instance-name <instance_name>

This command will provide a list of available Ports and show how the cidr value for Port 3389 is now set.

"portStates": [
{
"fromPort": 3389,
"toPort": 3389,
"protocol": "tcp",
"state": "open",
"cidrs": [
"110.111.221.100/32",
"110.111.221.202/32"
],
"cidrListAliases": []
}
]
  1. Repeat the remediation below for all other Windows instances identified in the Audit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_3_5 --share

SQL

This control uses a named query:

with open_ports as (
  select
    name,
    jsonb_array_elements(networking -> 'Ports') as port
  from
    aws_lightsail_instance
),
port_cidrs as (
  select
    op.name,
    (op.port ->> 'FromPort')::int as from_port,
    (op.port ->> 'ToPort')::int as to_port,
    op.port ->> 'Protocol' as protocol,
    jsonb_array_elements_text(op.port -> 'Cidrs') as cidr
  from
    open_ports op
),
unrestricted_rdp_ports as (
  select
    name
  from
    port_cidrs
  where
    from_port = 3389
    and to_port = 3389
    and protocol = 'tcp'
    and cidr = '0.0.0.0/0'
)
select
  i.name as resource,
  case
    when urp.name is null then 'ok'
    else 'alarm'
  end as status,
  case
    when urp.name is null then i.name || ' has RDP (3389) restricted to specific IP addresses.'
    else i.name || ' has RDP (3389) open to the world (0.0.0.0/0).'
  end as reason,
  i.tags
from
  aws_lightsail_instance i
  left join unrestricted_rdp_ports urp on i.name = urp.name;

Tags

category = Compliance
cis = true
cis_item_id = 3.5
cis_level = 1
cis_section_id = 3
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Lightsail