More Info:

Security groups should not have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks.

Risk Level

Low

Address

Security

Compliance Standards

HIPAA, NIST, SOC2, PCIDSS

Triage and Remediation

Remediation

Using Console

Here are the step-by-step instructions to remediate the Security Group Port Range misconfiguration for AWS using the AWS console:
  1. Log in to your AWS console.
  2. Navigate to the EC2 dashboard.
  3. Click on the “Security Groups” option on the left-hand side of the screen.
  4. Select the affected security group.
  5. Click on the “Inbound Rules” tab.
  6. Identify the rule with the incorrect port range.
  7. Click on the “Edit” button for that rule.
  8. Update the port range to the appropriate range.
  9. Click on the “Save” button to save the changes.
  10. Verify that the changes have been applied by confirming that the correct port range is now listed in the security group’s inbound rules.
It is recommended to regularly review and update security group rules to ensure that they are configured correctly for your organization’s needs.

The remediation steps for Security Group Port Range misconfiguration in AWS using AWS CLI are as follows:
  1. Identify the security group that has the misconfigured port range. You can use the following command to list all the security groups in your AWS account: 
    aws ec2 describe-security-groups
  2. Once you have identified the security group, use the following command to update the security group and remove the misconfigured port range: 
    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-range>
    Replace <security-group-id> with the ID of the security group that has the misconfigured port range, and <port-range> with the range of ports that need to be removed. For example, if the security group ID is sg-1234567890 and the misconfigured port range is 0-65535, the command would be: 
    aws ec2 revoke-security-group-ingress --group-id sg-1234567890 --protocol tcp --port 0-65535
  3. Verify that the misconfigured port range has been removed by using the following command to describe the security group: 
    aws ec2 describe-security-groups --group-id <security-group-id>
    Replace <security-group-id> with the ID of the security group that you updated. Verify that the misconfigured port range is no longer listed in the security group rules.
By following these steps, you can remediate the Security Group Port Range misconfiguration in AWS using AWS CLI.
To remediate the Security Group Port Range misconfiguration in AWS using Python, follow these steps:
  1. First, you need to identify the security group that has the misconfigured port range. You can do this by using the AWS SDK for Python (Boto3) to list all the security groups in your account and filter them based on the port range that is misconfigured.
Here’s an example code snippet that lists all the security groups in your account and filters them based on a specific port range:
import boto3

# Create an EC2 client
ec2 = boto3.client('ec2')

# List all the security groups in your account
response = ec2.describe_security_groups()

# Filter the security groups based on the misconfigured port range
misconfigured_security_groups = []
for sg in response['SecurityGroups']:
    for rule in sg['IpPermissions']:
        if rule['FromPort'] == 22 and rule['ToPort'] == 22:
            misconfigured_security_groups.append(sg['GroupId'])
In this example, we are filtering the security groups based on the SSH port (port 22), but you can modify the code to filter based on other port ranges as well.
  1. Once you have identified the security groups that have the misconfigured port range, you need to update the security group rules to allow only the required ports. You can do this by using the authorize_security_group_ingress and revoke_security_group_ingress methods of the ec2 client.
Here’s an example code snippet that updates the security group rules to allow only the required ports:
# Update the security group rules to allow only the required ports
for sg_id in misconfigured_security_groups:
    ec2.revoke_security_group_ingress(
        GroupId=sg_id,
        IpPermissions=[
            {
                'IpProtocol': 'tcp',
                'FromPort': 0,
                'ToPort': 65535,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            },
            {
                'IpProtocol': 'udp',
                'FromPort': 0,
                'ToPort': 65535,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }
        ]
    )

    ec2.authorize_security_group_ingress(
        GroupId=sg_id,
        IpPermissions=[
            {
                'IpProtocol': 'tcp',
                'FromPort': 80,
                'ToPort': 80,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            },
            {
                'IpProtocol': 'tcp',
                'FromPort': 443,
                'ToPort': 443,
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }
        ]
    )
In this example, we are allowing only HTTP (port 80) and HTTPS (port 443) traffic to the security groups that have the misconfigured port range. You can modify the code to allow other ports as well.
  1. Finally, you should verify that the security group rules have been updated correctly. You can do this by using the describe_security_groups method of the ec2 client to retrieve the security group rules and checking that only the required ports are allowed.
Here’s an example code snippet that verifies the updated security group rules:
# Verify that the security group rules have been updated correctly
for sg_id in misconfigured_security_groups:
    response = ec2.describe_security_groups(GroupIds=[sg_id])
    for rule in response['SecurityGroups'][0]['IpPermissions']:
        if rule['FromPort'] != 80 and rule['ToPort'] != 443:
            print(f"Security group {sg_id} still has misconfigured port range")
In this example, we are checking that only HTTP (port 80) and HTTPS (port 443) traffic is allowed in the security groups that have the misconfigured port range. If any other port is still allowed, the code will print a message indicating that the security group still has a misconfigured port range.

Additional Reading: