Logo of Trend Micro

Unrestricted Security Group Ingress on Uncommon Ports

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (act today)
Rule ID: EC2-034

Check your EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to any uncommon TCP and UDP ports and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. An uncommon port can be any TCP/UDP port that is not included in the common services ports category, i.e. other than the commonly used ports such as 80 (HTTP), 443 (HTTPS), 20/21 (FTP), 22 (SSH), 23 (Telnet), 3389 (RDP), 1521 (Oracle), 3306 (MySQL), 5432 (PostgreSQL), 53 (DNS), 1433 (MSSQL) and 137/138/139/445 (SMB/CIFS).

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing unrestricted (0.0.0.0/0 or ::/0) inbound/ingress access to uncommon ports can increase opportunities for malicious activity and the risk of data loss through multiple types of attacks (brute-force attacks, Denial of Service (DoS) attacks, etc).

Audit

To determine if your EC2 security groups allow unrestricted ingress access to uncommon ports, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to the EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under the NETWORK & SECURITY section, choose Security Groups.

04 Select the EC2 security group that you want to examine.

05 Select the Inbound tab from the dashboard bottom panel.

06 Verify the value available in the Source column for any inbound/ingress rules with uncommon ports. If one or more rules have the source set to 0.0.0.0/0 or ::/0 (Anywhere), the selected security group allows unrestricted traffic to uncommon ports, therefore the access to the EC2 instance(s) associated with the security group is not restricted.

07 Repeat steps no. 4 – 6 to verify the rest of the EC2 security groups available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using the necessary filters to expose the security groups with inbound/ingress rules that allow traffic from all addresses (0.0.0.0/0 or ::/0), available in the selected region: 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.cidr,Values='0.0.0.0/0'
	--query 'SecurityGroups[*].GroupId'

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.ipv6-cidr,Values='::/0'
	--query 'SecurityGroups[*].GroupId'

02 The command output should return an array with the requested information. If the command does not return any output, there are no EC2 security groups that allow unrestricted access (0.0.0.0/0 or ::/0), otherwise it should return the ID(s) of the security group(s) that match filter criteria, as shown in the following example: 

[
    "sg-48016733",
    "sg-5365d728",
    "sg-960167ed"

]

03 Re-run describe-security-groups command (OSX/Linux/UNIX) using custom filtering to list all the inbound rules defined for the selected security group: 

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-5365d728
	--query 'SecurityGroups[*].IpPermissions[]'

04 The command output should return the requested inbound rules metadata: 

[
    {
        "PrefixListIds": [],
        "FromPort": 8040,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 8040,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    },

    ...

    {
        "PrefixListIds": [],
        "FromPort": 115,
        "IpRanges": [
            {
                "CidrIp": "0.0.0.0/0"
            }
        ],
        "ToPort": 155,
        "IpProtocol": "tcp",
        "UserIdGroupPairs": []
    }

]

Each JSON object returned at the previous step, separated by a comma, represents an inbound rule metadata. To identify any uncommon TCP/UDP ports, verify the FromPort and ToPort parameter values. If one or more rules returned have uncommon ports defined, the selected security group allows unrestricted traffic to those ports, therefore the access to the associated EC2 instance(s) is not restricted.

05 Repeat step no. 3 and 4 to verify the inbound rules of the remaining EC2 security groups available in the current region.

06 Repeat steps no. 1 – 4 to perform the audit process for other AWS regions.

Remediation / Resolution

To update your EC2 security groups inbound configuration in order to restrict access to specific entities (IP addresses, IP ranges or other security groups), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the appropriate security group.

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.

06 In the Edit inbound rules dialog box, change the traffic Source for any inbound rules that allow unrestricted access through TCP/UDP uncommon ports by performing one of the following actions:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your machine (from your IP address).
  2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
    • The static IP/Elastic IP address of the permitted host with the suffix set to /32, e.g. 50.164.53.108/32.
    • The IP address range of the permitted hosts in CIDR notation, for example 50.164.53.108/24.
    • The name or ID of another security group available in the same AWS region.

07 Click Save to apply the changes.

08 Repeat steps no. 4 – 7 to update other EC2 security groups that allow unrestricted inbound access.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) that allow unrestricted access through uncommon ports, from the selected EC2 security group. Set the --protocol parameter value to tcp or udp based on your needs (the command does not return an output): 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-5365d728
	--protocol tcp
	--port 8040
	--cidr 0.0.0.0/0

02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the ingress rules removed at the previous step with a different set of parameters in order to restrict inbound access to specific entities. To add custom inbound/ingress rules to the selected security group, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows access only to the specified static IP/Elastic IP address of the permitted host using uncommon port 8040: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-5365d728
	--protocol tcp
	--port 8040
	--cidr 50.164.53.108/32
  2. Add an inbound rule that allows access only to the IP address range of the permitted hosts using uncommon port 8040: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-5365d728
	--protocol tcp
	--port 8040
	--cidr 50.164.53.108/24
  3. Add an inbound rule that allows access only to another EC2 security group in the same AWS region using uncommon port 8040: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-5365d728
	--protocol tcp
	--port 8040
	--source-group MyWebAppSecurityGroup
  4. Change the --port parameter value based on your requirements and repeat steps a – c to add the necessary inbound rule(s) that you removed at step no. 1.

03 Repeat step no. 1 and 2 to update other EC2 security groups that allow unrestricted inbound access using AWS CLI.

04 Repeat steps no. 1 - 3 to implement the entire process for other AWS regions.

References

Publication date Jun 19, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Unrestricted Security Group Ingress on Uncommon Ports

Risk level: High