Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Group Port Range

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-001

Ensure that your Amazon EC2 security groups don't have range of ports opened for inbound traffic in order to protect the associated EC2 instances against Denial-of-Service (DoS) attacks or brute-force attacks. Trend Cloud One™ – Conformity strongly recommends opening only specific ports within your security groups, based on your applications requirements.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Opening range of ports inside your Amazon EC2 security groups is not a good practice because it will allow attackers to use port scanners and other probing techniques to identify services and applications running on your EC2 instances and exploit their potential vulnerabilities.


Audit

To determine if your Amazon EC2 security groups implement range of ports in order to allow inbound traffic, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to examine.

05 Choose the Inbound rules tab from the console bottom panel to access the inbound rules created for the selected group.

06 Check the value available in the Port range column for each existing inbound/ingress rule to determine if the rule is configured with a range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800). If one or more inbound rules are using range of ports to allow traffic, the selected Amazon EC2 security group is not configured to follow AWS cloud security best practices.

07 Repeat steps no. 4 – 6 for each EC2 security group available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to describe the ID of each Amazon EC2 security group available in the selected AWS region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
|  sg-0abcdabcdabcdabcd  |
+------------------------+

03 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the EC2 security group that you want to examine as the identifier parameter, to list all the inbound/ingress rules defined for the selected security group:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --query 'SecurityGroups[*].IpPermissions[]'

04 The command output should return the requested configuration information:

[
	{
		"FromPort": 80,
		"IpProtocol": "tcp",
		"IpRanges": [
			{
				"CidrIp": "0.0.0.0/0"
			}
		],
		"Ipv6Ranges": [
			{
				"CidrIpv6": "::/0"
			}
		],
		"PrefixListIds": [],
		"ToPort": 8080,
		"UserIdGroupPairs": []
	}
]

If the describe-security-groups command output returns the same value (port) for the "FromPort" and "ToPort" attributes, the verified security group implements specific ports instead of ranges. If the command output returns different values for the "FromPort" and "ToPort" attributes, the inbound rules are using range of ports to allow traffic, therefore the selected Amazon EC2 security group is not configured to follow AWS cloud security best practices.

Remediation / Resolution

To configure specific ports instead of range of ports for your Amazon EC2 security group rules, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Configure specific ports instead of port ranges for inbound rules",
	"Resources":{
	"CustomSecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
			"GroupDescription" : "Custom web traffic security group",
			"GroupName" : "custom-web-security-group",
			"VpcId" : "vpc-1234abcd",
			"SecurityGroupIngress" : [{
				"IpProtocol" : "tcp",
				"FromPort" : 80,
				"ToPort" : 80,
				"CidrIp" : "10.0.5.0/24"
			}],
			"SecurityGroupEgress" : [{
				"IpProtocol" : "-1",
				"FromPort" : 0,
				"ToPort" : 65535,
				"CidrIp" : "0.0.0.0/0"
			}]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Configure specific ports instead of port ranges for inbound rules
    Resources:
        CustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: Custom web traffic security group
            GroupName: custom-web-security-group
            VpcId: vpc-1234abcd
            SecurityGroupIngress:
            - IpProtocol: tcp
            FromPort: 80
            ToPort: 80
            CidrIp: 10.0.5.0/24
            SecurityGroupEgress:
            - IpProtocol: "-1"
            FromPort: 0
            ToPort: 65535
            CidrIp: 0.0.0.0/0

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_security_group" "web-security-group" {
	name        = "custom-security-group"
	description = "Custom web traffic security group"
	vpc_id      = "vpc-1234abcd"

	# Configure specific ports instead of port ranges for inbound rules
	ingress {
		from_port        = 80
		to_port          = 80
		protocol         = "tcp"
		cidr_blocks      = ["10.0.5.0/24"]
	}

	egress {
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, perform the following operations:

  1. Choose Add rule to create as many inbound rules as necessary in order to replace the rules configured with the port ranges. To create and configure an inbound rule, perform the following:
    • Select Custom TCP/UDP/ICMP/Protocol or the name of the port that you want to use (e.g. HTTP) from the Type dropdown list.
    • For Protocol, provide the type of the protocol used by the inbound rule (if required).
    • For Port Range, enter a specific port number (e.g. 80) instead of a port range.
    • For Source, choose Custom, Anywhere, or My IP to define the appropriate source of the incoming traffic. If you choose Custom, enter one of the following options based on your access requirements:
      • The static IP address of the permitted host in CIDR notation (e.g. 10.0.0.5/32).
      • The IP address range of the permitted network/subnetwork in CIDR notation, for example 10.0.5.0/24.
      • The name or ID of another security group available in the same AWS cloud region.
  2. Once you create all the required rules, choose Delete next to each inbound rule that implements port ranges to remove the non-compliant rules from the security group.
  3. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 to reconfigure other Amazon EC2 security groups with port ranges, available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter, to remove the inbound rule configured with port ranges from the selected security group:

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions IpProtocol=tcp,FromPort=80,ToPort=8080,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
  --query 'Return'

02 The command output should return true if the request succeeds. Otherwise, it should return an error:

true

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to allow inbound access on a specific port instead of a range of ports. To create and attach the required inbound rule to the selected Amazon EC2 security group, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows traffic from an authorized static IP address on a specific port, using CIDR notation (e.g. 10.0.0.5/32):
    aws ec2 authorize-security-group-ingress
      --region us-east-1
      --group-id sg-01234abcd1234abcd
      --protocol tcp
      --port 80
      --cidr 10.0.0.5/32
    
  2. Add an inbound/ingress rule that allows traffic from a trusted IP address range through a specific port, using CIDR notation (for example, 10.0.5.0/24):
    aws ec2 authorize-security-group-ingress
      --region us-east-1
      --group-id sg-01234abcd1234abcd
      --protocol tcp
      --port 80
      --cidr 10.0.5.0/24
    
  3. Add an inbound rule that allows traffic from another security group (e.g. sg-01234123412341234) available in the same AWS cloud region on a specific port:
    aws ec2 authorize-security-group-ingress
      --region us-east-1
      --group-id sg-01234abcd1234abcd
      --protocol tcp
      --port 80
      --source-group sg-01234123412341234
    

04 Repeat steps no. 1 – 3 to reconfigure other Amazon EC2 security groups with port ranges, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 10, 2016