Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Unrestricted Security Group Ingress on Uncommon Ports

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (act today)
Rule ID: EC2-034

Ensure that your Amazon EC2 security groups don't allow unrestricted access (0.0.0.0/0 or ::/0) on uncommon ports in order to protect against attackers that use brute force methods to gain access to the EC2 instances associated with your security groups. An uncommon port can be any TCP/UDP port that is not included in the common service ports category, i.e., other than the commonly used ports such as 80 (HTTP), 443 (HTTPS), 20/21 (FTP), 22 (SSH), 23 (Telnet), 53 (DNS), 3389 (RDP), 25/465/587 (SMTP), 3306 (MySQL), 5432 (PostgreSQL), 1521 (Oracle Database), 1433 (SQL Server), 135 (RPC), and 137/138/139/445 (SMB/CIFS).

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing unrestricted inbound (ingress) access to Amazon EC2 instances on uncommon TCP/UDP ports can increase opportunities for malicious activities such as hacking, data capture, and all kinds of attacks (brute-force attacks, Man-in-the-Middle attack, and Denial-of-Service attacks).

Audit

To determine if your Amazon EC2 security groups allow unrestricted ingress access on uncommon TCP/UDP ports, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to examine.

05 Select the Inbound rules tab from the console split panel to access the ingress rules created for the selected security group.

06 Check the configuration value available in the Source column for any inbound rules with uncommon ports (other than the ones listed in the rule description). If one or more rules have the Source value set to 0.0.0.0/0 or ::/0(i.e., Anywhere), the selected Amazon EC2 security group allows unrestricted traffic to uncommon ports. Therefore, the access to the associated EC2 instances is not secured.

07 Repeat steps no. 4 – 6 for each EC2 security group available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with predefined filters to expose the ID of each Amazon EC2 security group that allows unrestricted inbound access to all IPv4 addresses (i.e., 0.0.0.0/0). Replace the --filters parameter value with the Name=ip-permission.ipv6-cidr,Values='::/0' to expose the security groups that allow unrestricted inbound access to all IPv6 addresses (i.e., ::/0): 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.cidr,Values='0.0.0.0/0'
	--output table
	--query 'SecurityGroups[*].GroupId'

02 If the describe-security-groups command does not produce an output, there are no security groups that allow unrestricted inbound access in the selected AWS cloud region. Otherwise, the command output should return a table with the requested security group ID(s): 

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

03 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to list all the inbound rules defined for the selected Amazon EC2 security group: 

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-01234abcd1234abcd
	--query 'SecurityGroups[*].IpPermissions[]'

04 The command output should return the requested configuration information: 

[
	{
		"FromPort": 8040,
		"IpProtocol": "tcp",
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"Ipv6Ranges": [
			{
				"CidrIpv6": "::/0"
			}
		],
		"PrefixListIds": [],
		"ToPort": 8040,
		"UserIdGroupPairs": []
	}
]

To identify any uncommon TCP/UDP ports, check the "FromPort" and "ToPort" attributes values. If one or more rules returned by the describe-security-groups command output are using uncommon ports (other than the ones listed in the rule description), the selected Amazon EC2 security group allows unrestricted traffic to uncommon ports. Therefore, the access to the associated EC2 instances is not secured.

05 Repeat steps no. 3 and 4 for each EC2 security group available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To update the inbound rule configuration for your Amazon EC2 security groups in order to restrict access to trusted networks only, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Allow inbound access on uncommon ports to trusted entities only",
	"Resources":{
		"CustomSecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
			"GroupDescription" : "Custom security group",
			"GroupName" : "custom-security-group",
			"VpcId" : "vpc-1234abcd",
			"SecurityGroupIngress" : [{
				"IpProtocol" : "tcp",
				"FromPort" : 8040,
				"ToPort" : 8040,
				"CidrIp" : "10.0.0.35/32"
			}],
			"SecurityGroupEgress" : [{
				"IpProtocol" : "-1",
				"FromPort" : 0,
				"ToPort" : 65535,
				"CidrIp" : "0.0.0.0/0"
			}]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
    Description: Allow inbound access on uncommon ports to trusted entities only
    Resources:
        CustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: Custom security group
            GroupName: custom-security-group
            VpcId: vpc-1234abcd
            SecurityGroupIngress:
            - IpProtocol: tcp
            FromPort: 8040
            ToPort: 8040
            CidrIp: 10.0.0.35/32
            SecurityGroupEgress:
            - IpProtocol: "-1"
            FromPort: 0
            ToPort: 65535
            CidrIp: 0.0.0.0/0

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_security_group" "security-group" {
	name        = "custom-security-group"
	description = "Custom security group"
	vpc_id      = "vpc-1234abcd"

	# Allow inbound access on uncommon ports to trusted IPs/IP ranges only
	ingress {
		from_port        = 8040
		to_port          = 8040
		protocol         = "tcp"
		cidr_blocks      = ["10.0.0.35/32"]
	}

	egress {
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the non-compliant Amazon EC2 security group that you want to configure.

05 Select the Inbound rules tab from the console split panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, change the traffic source for the inbound rule that allows unrestricted access through uncommon TCP/UDP ports, by performing one of the following actions:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your current IP address.
  2. Select Custom from the Source dropdown list and enter one of the following sources based on your access requirements:
    1. The static IP address of the permitted host in CIDR notation (e.g., 10.0.0.5/32).
    2. The IP address range of the permitted network/subnetwork in CIDR notation, for example, 10.0.5.0/24.
    3. The name or ID of another security group available in the Security Groups section.
    4. The name or ID of a prefix list available in the Prefix lists section. Prefix lists simplify security group configuration by grouping frequently used CIDR blocks.
  3. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Amazon EC2 security group that allow unrestricted access to uncommon TCP/UDP ports.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) with the ID of the non-compliant Amazon EC2 security group that you want to configure as the identifier parameter, to remove the inbound rules that allow unrestricted access through uncommon TCP ports. Replace tcp with udp within the IpProtocol parameter value to remove the ingress rule that allows unrestricted access on uncommon UDP ports: 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--ip-permissions IpProtocol=tcp,FromPort=8040,ToPort=8040,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
	--query 'Return'

02 The command output should return **true** if the request succeeds. Otherwise, it should return an error: 

true

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed in the previous step with a different set of parameters in order to restrict access to trusted entities only (IP addresses, IP ranges, or security groups). To create and attach custom ingress rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command output should return true if the command request succeeds):

  1. Add an inbound rule that allows traffic from an authorized static IP address via TCP port 8040 (uncommon port), using CIDR notation (e.g., 10.0.0.5/32). Replace tcp with udp within the --protocol command parameter value for rules with uncommon UDP ports: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 8040
	--cidr 10.0.0.5/32
	--query 'Return'
  2. Add an ingress rule that allows traffic from a trusted IP address range through TCP port 8040, using CIDR notation (for example, 10.0.5.0/24). Replace tcp with udp within the --protocol command parameter value for rules with uncommon UDP ports: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 8040
	--cidr 10.0.5.0/24
	--query 'Return'
  3. Add an inbound rule that allows traffic from another security group (e.g. sg-01234123412341234) available in the same AWS cloud region via TCP port 8040. Replace tcp with udp within the --protocol command parameter value for rules with uncommon UDP ports: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 8040
	--source-group sg-01234123412341234
	--query 'Return'
  4. Add an ingress rule that allows traffic from a prefix list (e.g., pl-0123abcd) via TCP port 8040. Replace tcp with udp for IpProtocol for rules with uncommon UDP ports: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--ip-permissions 'IpProtocol=tcp,FromPort=8040,ToPort=8040,PrefixListIds=[{PrefixListId=pl-0123abcd}]'
	--query 'Return'

04 Repeat steps no. 1 – 3 to configure other EC2 security groups that allow unrestricted access on uncommon TCP/UDP ports.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other regions.

References

Publication date Jun 19, 2016

Related EC2 rules