Control: 19 Security groups should not allow unrestricted access to ports with high risk
Description
This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports.
Unrestricted access (0.0.0.0/0) increases opportunities for malicious activity, such as hacking, denial-of-service attacks, and loss of data.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. No security group should allow unrestricted ingress access to the following ports:
3389 (RDP)
20, 21 (FTP)
22 (SSH)
23 (Telnet)
110 (POP3)
143 (IMAP)
3306 (mySQL)
8080 (proxy)
1433, 1434 (MSSQL)
9200 or 9300 (Elasticsearch)
5601 (Kibana)
25 (SMTP)
445 (CIFS)
135 (RPC)
4333 (ahsp)
5432 (postgresql)
5500 (fcp-addr-srvr1)
Remediation
For information on how to delete rules from a security group, see Delete rules from a security group in the Amazon EC2 User Guide for Linux Instances.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ec2_19Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ec2_19 --shareSQL
This control uses a named query:
with ingress_ssh_rules as ( select group_id, count(*) as num_ssh_rules from aws_vpc_security_group_rule where type = 'ingress' and cidr_ipv4 = '0.0.0.0/0' and ( ( ip_protocol = '-1' and from_port is null ) or ( from_port <= 22 and to_port >= 22 ) or ( from_port <= 3389 and to_port >= 3389 ) or ( from_port <= 21 and to_port >= 21 ) or ( from_port <= 20 and to_port >= 20 ) or ( from_port <= 3306 and to_port >= 3306 ) or ( from_port <= 4333 and to_port >= 4333 ) or ( from_port <= 23 and to_port >= 23 ) or ( from_port <= 25 and to_port >= 25 ) or ( from_port <= 445 and to_port >= 445 ) or ( from_port <= 110 and to_port >= 110 ) or ( from_port <= 135 and to_port >= 135 ) or ( from_port <= 143 and to_port >= 143 ) or ( from_port <= 1433 and to_port >= 3389 ) or ( from_port <= 3389 and to_port >= 1434 ) or ( from_port <= 5432 and to_port >= 5432 ) or ( from_port <= 5500 and to_port >= 5500 ) or ( from_port <= 5601 and to_port >= 5601 ) or ( from_port <= 9200 and to_port >= 9300 ) or ( from_port <= 8080 and to_port >= 8080 ) ) group by group_id)select arn as resource, case when ingress_ssh_rules.group_id is null then 'ok' else 'alarm' end as status, case when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0..' else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.' end as reason , sg.region, sg.account_idfrom aws_vpc_security_group as sg left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;