AWS Security Groups Allow Internet Traffic To SSH Port (22)

This policy identifies AWS Security Groups which do allow inbound traffic on SSH port (22) from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

AWS Security Groups allow internet traffic to SSH port (22).
JSON Query:
$.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<23 && @.to_port>21 )].ipv6_cidr_blocks[*] contains ::/0)
Recommendation:
Recommended solution for updating Security Group to not allow internet traffic to SSH port (22).
It is recommended that Security Group should not allow internet traffic to SSH port. Please make sure that cidr attribute under ingress blocks is not set to 0.0.0.0/0 or ::/0 for port 22.
For example:
"ingress": [ { "cidr_blocks": ["10.0.0.0/16"], "protocol": "tcp", "from_port": 22, "to_port": 22 } ]

Run Rule Recommendation

If the Security Groups reported indeed need to restrict all traffic, follow the instructions below:.
  1. Login to the AWS Console and navigate to the 'VPC' service.
  2. Select the 'Security Group' reported in the alert. Click on the 'Inbound Rule'.
  3. Remove the rule which has 'Source' value as 0.0.0.0/0 or ::/0 and 'Port Range' value as 22 (or range containing 22).
Remediation CLI Command:
aws --region ${region} ec2 revoke-security-group-ingress --group-id ${resourceId} --ip-permissions '[{"IpProtocol": "${protocol}", "FromPort": ${fromPort}, "ToPort": ${toPort}, "Ip${ipV4/6}Ranges":[{"CidrIp${ipV4/6}":"${cidr}"}]}]'
CLI Command Description:
This CLI command requires 'ec2:RevokeSecurityGroupIngress' permission. Successful execution will update the security group to revoke the ingress rule records with port 22 open to internet either on IPv4 or on IPv6 protocol.

Compliance

There are 13 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • NIST CSF
  • GDPR
  • CIS v1.2.0 (AWS)
  • HIPAA
  • CSA CCM v3.0.1
  • SOC 2
  • ISO 27001:2013
  • PIPEDA
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4

Recommended For You