AWS Client VPN Authorization Rules Should Be Enabled Authorizing All Clients
More Info:
This rule checks if the AWS Client VPN authorization rules authorize connection access for all clients. Having authorization rules that allow access for all clients (AccessAll) can pose a security risk by potentially granting access to unauthorized users. The rule is marked as non-compliant if ‘AccessAll’ is present and set to true.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled authorizing all clients, you can follow these steps using the AWS console:
- Login to AWS Console: Go to the AWS Management Console and login to your account.
- Navigate to AWS Client VPN: In the AWS Management Console, navigate to the AWS Client VPN service.
- Select the Client VPN Endpoint: Select the Client VPN endpoint for which you want to enable authorization rules.
- Click on the “Authorization” tab: In the Client VPN details page, click on the “Authorization” tab to view the current authorization rules.
- Edit Authorization Rules: Click on the “Edit Authorization Rules” button to edit the authorization rules for the Client VPN.
- Add a New Rule: Click on the “Add Rule” button to add a new authorization rule.
-
Configure the Authorization Rule: In the configuration for the new authorization rule, set the following values:
- Action: Allow
- Access to: All
- Clients: All
- Save the Authorization Rule: After configuring the authorization rule, click on the “Save” button to save the rule.
- Review and Apply Changes: Review the changes to ensure that the authorization rule is correctly configured to authorize all clients. Click on the “Apply changes” button to apply the new authorization rule.
- Verify the Configuration: Verify that the authorization rule has been successfully applied by checking the list of authorization rules for the Client VPN endpoint.
Using CLI
Using CLI
To remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients, you can follow these steps using the AWS CLI:By following these steps, you can remediate the misconfiguration of AWS Client VPN Authorization Rules not authorizing all clients on an AWS EC2 instance using the AWS CLI.
- List the existing authorization rules for the AWS Client VPN endpoint:
- Identify the existing authorization rules that need to be updated to authorize all clients.
-
Update the authorization rules to authorize all clients by adding a new rule with CIDR range
0.0.0.0/0:
- Verify that the new authorization rule has been successfully added by listing the authorization rules again:
Using Python
Using Python
To remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients for AWS EC2 using Python, you can follow these steps:By following these steps and running the Python script, you can remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients for AWS EC2.
- Import the necessary Python libraries:
- Initialize the AWS EC2 client:
- Describe the existing Client VPN endpoints:
- Get the Client VPN endpoint ID:
- Update the Client VPN endpoint authorization rules to allow all clients:
- Verify that the authorization rules have been updated successfully: