AWS Security Groups With Inbound Rule Overly Permissive To All Traffic

This policy identifies AWS Security Groups which do allow inbound traffic on all protocols from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

AWS Security Groups with Inbound rule overly permissive to All Traffic.
JSON Query:
($.resource[*].aws_security_group exists and ($.resource[*].aws_security_group.*[*].*.ingress[*].protocol equals -1 and ($.resource[*].aws_security_group.*[*].*.ingress[*].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group.*[*].*.ingress[*].ipv6_cidr_blocks[*] contains ::/0))) or ($.resource[*].aws_security_group_rule exists and ($.resource[*].aws_security_group_rule.*[*].*.protocol equals -1 and $.resource[*].aws_security_group_rule.*[*].*.type equals ingress and ($.resource[*].aws_security_group_rule.*[*].*.cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group_rule.*[*].*.ipv6_cidr_blocks[*] contains ::/0)))
Recommendation:
Recommended solution for not allowing all ingress traffic.
Ensure that Security Group is not overly permissive to allow all ingress traffic. Please make sure the value for "cidr_blocks" is not equal to "0.0.0.0/0" or "::/0" when "protocol" is set to -1.
For example:
"aws_security_group": [ { "<security_group_name>": [ { "description": "Allow TLS inbound traffic", "ingress": [ { "cidr_blocks": ["10.0.0.0/16"], "protocol": "-1" } ], "name": "allow_tls", "vpc_id": "${aws_vpc.main.id}" } ] } ]

Run Rule Recommendation

If the Security Groups reported indeed need to restrict all traffic, follow the instructions below:.
  1. Login to the AWS Console and navigate to the 'VPC' service.
  2. Select the 'Security Group' reported in the alert. Click on the 'Inbound Rule'.
  3. Remove the rule which has 'Source' value as 0.0.0.0/0 or ::/0 and 'Type' value as All traffic.
Remediation CLI Command:
aws --region ${region} ec2 revoke-security-group-ingress --group-id ${resourceId} --ip-permissions '[{"IpProtocol": "${protocol}", "FromPort": ${fromPort}, "ToPort": ${toPort}, "Ip${ipV4/6}Ranges":[{"CidrIp${ipV4/6}":"${cidr}"}]}]'
CLI Command Description:
This CLI command requires 'ec2:RevokeSecurityGroupIngress' permission. Successful execution will update the security group to revoke the ingress rule records with all protocol open to internet either on IPv4 or on IPv6 protocol.

Compliance

There are 3 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PIPEDA
  • CCPA 2018

Recommended For You