Control: 6.1.2 Ensure CIFS access is restricted to trusted networks to prevent unauthorized access
Description
Common Internet File System (CIFS) is a network file-sharing protocol that allows systems to share files over a network. However, unrestricted CIFS access can expose your data to unauthorized users, leading to potential security risks. It is important to restrict CIFS access to only trusted networks and users to prevent unauthorized access and data breaches.
Remediation
From Console:
Login to the AWS Management Console.
Navigate to the EC2 Dashboard and select the Security Groups section under
Network & Security.
Identify the security group that allows unrestricted ingress on port 445.
Select the security group and click the
Edit Inbound Rules
button.Locate the rule allowing unrestricted access on port 445 (typically listed as
0.0.0.0/0
or ::/0
).Modify the rule to restrict access to specific IP ranges or trusted networks only.
Save the changes to the security group.
Note: EBS volume encryption is configured per region.
From Command Line:
- Run the following command to remove or modify the unrestricted rule for CIFS access:
aws ec2 revoke-security-group-ingress --region <region-name> --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0
- Optionally, run the authorise-security-group-ingress command to create a new rule, specifying a trusted CIDR range instead of 0.0.0.0/0.
- Confirm the changes by describing the security group again and ensuring the unrestricted access rule has been removed or appropriately restricted:
aws ec2 describe-security-groups --region <region-name> --group-ids <security-group-id> --query "SecurityGroups[*].IpPermissions[?((IpProtocol=='-1') || (FromPort<=\`445\` && ToPort>=\`445\`))].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CIDRv4:IpRanges[*].CidrIp,CIDRv6:Ipv6Ranges[*].CidrIpv6}"
- Repeat the remediation for other security groups and regions as necessary.
Default Value:
By default, security groups can allow unrestricted CIFS access (port 445) if configured, including 0.0.0.0/0 or ::/0. AWS does not automatically restrict this; controls must be set manually to limit access to trusted networks.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_6_1_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_6_1_2 --share
SQL
This control uses a named query:
with ingress_cifs_rules as ( select group_id, count(*) as num_cifs_rules from aws_vpc_security_group_rule where type = 'ingress' and (cidr_ipv4 = '0.0.0.0/0' or cidr_ipv6 = '::/0') and ( ( ip_protocol = '-1' and from_port is null ) or ( from_port <= 445 and to_port >= 445 ) ) group by group_id)select arn as resource, case when ingress_cifs_rules.group_id is null then 'ok' else 'alarm' end as status, case when ingress_cifs_rules.group_id is null then sg.group_id || ' ingress restricted for CIFS port (445) from 0.0.0.0/0 and ::/0.' else sg.group_id || ' contains ' || ingress_cifs_rules.num_cifs_rules || ' ingress rule(s) allowing access on CIFS port (445) from 0.0.0.0/0 or ::/0..' end as reason , region, account_idfrom aws_vpc_security_group as sg left join ingress_cifs_rules on ingress_cifs_rules.group_id = sg.group_id;