Security Group Port Range

More Info:

Security groups should not have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks.

Risk Level

Low

Address

Security

Compliance Standards

HIPAA, NIST, SOC2, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

The remediation steps for Security Group Port Range misconfiguration in AWS using AWS CLI are as follows:

Identify the security group that has the misconfigured port range. You can use the following command to list all the security groups in your AWS account:
```
aws ec2 describe-security-groups
```
Once you have identified the security group, use the following command to update the security group and remove the misconfigured port range:
```
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-range>
```
Replace <security-group-id> with the ID of the security group that has the misconfigured port range, and <port-range> with the range of ports that need to be removed. For example, if the security group ID is sg-1234567890 and the misconfigured port range is 0-65535, the command would be:
```
aws ec2 revoke-security-group-ingress --group-id sg-1234567890 --protocol tcp --port 0-65535
```
Verify that the misconfigured port range has been removed by using the following command to describe the security group:
```
aws ec2 describe-security-groups --group-id <security-group-id>
```
Replace <security-group-id> with the ID of the security group that you updated. Verify that the misconfigured port range is no longer listed in the security group rules.

By following these steps, you can remediate the Security Group Port Range misconfiguration in AWS using AWS CLI.

Using Python

To remediate the Security Group Port Range misconfiguration in AWS using Python, follow these steps:

First, you need to identify the security group that has the misconfigured port range. You can do this by using the AWS SDK for Python (Boto3) to list all the security groups in your account and filter them based on the port range that is misconfigured.

Here’s an example code snippet that lists all the security groups in your account and filters them based on a specific port range:

import boto3

# Create an EC2 client
ec2 = boto3.client('ec2')

# List all the security groups in your account
response = ec2.describe_security_groups()

# Filter the security groups based on the misconfigured port range
misconfigured_security_groups = []
for sg in response['SecurityGroups']:
    for rule in sg['IpPermissions']:
        if rule['FromPort'] == 22 and rule['ToPort'] == 22:
            misconfigured_security_groups.append(sg['GroupId'])

In this example, we are filtering the security groups based on the SSH port (port 22), but you can modify the code to filter based on other port ranges as well.

Once you have identified the security groups that have the misconfigured port range, you need to update the security group rules to allow only the required ports. You can do this by using the authorize_security_group_ingress and revoke_security_group_ingress methods of the ec2 client.

Here’s an example code snippet that updates the security group rules to allow only the required ports:

# Update the security group rules to allow only the required ports
for sg_id in misconfigured_security_groups:
    ec2.revoke_security_group_ingress(
        GroupId=sg_id,
        IpPermissions=[
            {
                'IpProtocol': 'tcp',
                'FromPort': 0,
                'ToPort': 65535,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            },
            {
                'IpProtocol': 'udp',
                'FromPort': 0,
                'ToPort': 65535,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }
        ]
    )

    ec2.authorize_security_group_ingress(
        GroupId=sg_id,
        IpPermissions=[
            {
                'IpProtocol': 'tcp',
                'FromPort': 80,
                'ToPort': 80,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            },
            {
                'IpProtocol': 'tcp',
                'FromPort': 443,
                'ToPort': 443,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }
        ]
    )

In this example, we are allowing only HTTP (port 80) and HTTPS (port 443) traffic to the security groups that have the misconfigured port range. You can modify the code to allow other ports as well.

Finally, you should verify that the security group rules have been updated correctly. You can do this by using the describe_security_groups method of the ec2 client to retrieve the security group rules and checking that only the required ports are allowed.

Here’s an example code snippet that verifies the updated security group rules:

# Verify that the security group rules have been updated correctly
for sg_id in misconfigured_security_groups:
    response = ec2.describe_security_groups(GroupIds=[sg_id])
    for rule in response['SecurityGroups'][0]['IpPermissions']:
        if rule['FromPort'] != 80 and rule['ToPort'] != 443:
            print(f"Security group {sg_id} still has misconfigured port range")

In this example, we are checking that only HTTP (port 80) and HTTPS (port 443) traffic is allowed in the security groups that have the misconfigured port range. If any other port is still allowed, the code will print a message indicating that the security group still has a misconfigured port range.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Security Group Port Range

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: