Control: 6.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access

Description

Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches.

Remediation

From Console:

Login to the AWS Management Console.
Navigate to the EC2 Dashboard and select the Security Groups section under Network & Security.
Identify the security group that allows unrestricted ingress on port 445.
Select the security group and click the Edit Inbound Rules button.
Locate the rule allowing unrestricted access on port 445 (typically listed as 0.0.0.0/0 or ::/0).
Modify the rule to restrict access to specific IP ranges or trusted networks only.
Save the changes to the security group.
Note: EBS volume encryption is configured per region.

From Command Line:

Run the following command to remove or modify the unrestricted rule for CIFS access:

aws ec2 revoke-security-group-ingress --region <region-name> --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0

Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.

Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:

aws ec2 describe-security-groups --region <region-name> --group-ids <security-group-id> --query "SecurityGroups[*].IpPermissions[?((IpProtocol=='-1') || (FromPort<=\`445\` && ToPort>=\`445\`))].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CIDRv4:IpRanges[*].CidrIp,CIDRv6:Ipv6Ranges[*].CidrIpv6}"

Repeat the remediation for other security groups and regions as necessary.

Default Value:

By default, security groups can allow unrestricted CIFS access (port 445) if configured, including 0.0.0.0/0 or ::/0. AWS does not automatically restrict this; controls must be set manually to limit access to trusted networks.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_6_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_6_1_2 --share

SQL

This control uses a named query:

with ingress_cifs_rules as (
  select
    group_id,
    count(*) as num_cifs_rules
  from
    aws_vpc_security_group_rule
  where
    type = 'ingress'
    and (cidr_ipv4 = '0.0.0.0/0' or cidr_ipv6 = '::/0')
    and (
      (
        ip_protocol = '-1'
        and from_port is null
      )
      or (
        from_port <= 445
        and to_port >= 445
      )
    )
    group by
      group_id
)
select
  arn as resource,
  case
    when ingress_cifs_rules.group_id is null then 'ok'
    else 'alarm'
  end as status,
  case
    when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for CIFS port (445) from 0.0.0.0/0 and ::/0.'
    else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on CIFS port (445) from 0.0.0.0/0 or ::/0..'
  end as reason
  
  , region, account_id
from
  aws_vpc_security_group as sg
  left join ingress_cifs_rules on ingress_cifs_rules.group_id = sg.group_id;