AWS Security Groups Allow Internet Traffic From Internet To RDP Port (3389)

This policy identifies the security groups which is exposing RDP port (3389) to the internet. Security Groups do not allow inbound traffic on RDP port (3389) from public internet. Doing so, may allow a bad actor to brute force their way into the system and potentially get access to the entire network.

Policy Details

Policy Subtype
Run, Build
Severity
High
Template Type
Terraform

Build Rules

AWS Security Groups allow internet traffic from internet to RDP port (3389).
JSON Query:
$.resource[*].aws_security_group exists and ($.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388 )].cidr_blocks[*] contains 0.0.0.0/0 or $.resource[*].aws_security_group[*].*[*].ingress[?( @.protocol == 'tcp' && @.from_port<3390 && @.to_port>3388)].ipv6_cidr_blocks[*] contains ::/0)
Recommendation:
Recommended solution for updating Security Group to not allow internet traffic to RDP port (3389).
It is recommended that Security Group should not allow internet traffic to RDP port (3389). Please make sure that cidr atrribute under ingress blocks is not set to 0.0.0.0/0 or ::/0 for port 22.
For example:
"ingress": [ { "cidr_blocks": [ "10.0.0.0/16" ], "from_port": 3389, "protocol": "tcp", "to_port": 3389 } ]

Run Rule Recommendation

If the Security Groups reported indeed need to restrict all traffic, follow the instructions below:.
  1. Login to the AWS Console and navigate to the 'VPC' service.
  2. Select the 'Security Group' reported in the alert. Click on the 'Inbound Rule'.
  3. Remove the rule which has 'Source' value as 0.0.0.0/0 or ::/0 and 'Port Range' value as 3389 (or range containing 3389).
Remediation CLI Command:
aws --region ${region} ec2 revoke-security-group-ingress --group-id ${resourceId} --ip-permissions '[{"IpProtocol": "${protocol}", "FromPort": ${fromPort}, "ToPort": ${toPort}, "Ip${ipV4/6}Ranges":[{"CidrIp${ipV4/6}":"${cidr}"}]}]'
CLI Command Description:
This CLI command requires 'ec2:RevokeSecurityGroupIngress' permission. Successful execution will update the security group to revoke the ingress rule records with port 3389 open to internet either on IPv4 or on IPv6 protocol.

Compliance

There are 13 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • NIST CSF
  • GDPR
  • CIS v1.2.0 (AWS)
  • HIPAA
  • CSA CCM v3.0.1
  • SOC 2
  • ISO 27001:2013
  • PIPEDA
  • HITRUST CSF v9.3
  • CCPA 2018
  • NIST 800-171 Rev1
  • NIST 800-53 Rev4

Recommended For You