AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Security Groups Should Not Allow Inbound Traffic From RFC 1918
More Info:
No EC2 security group should allow inbound traffic from RFC-1918 CIDRs in order to follow AWS security best practices.
Risk Level
Low
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “Security Groups Should Not Allow Inbound Traffic From RFC 1918” for AWS using the AWS console:
- Log in to the AWS Management Console.
- Navigate to the EC2 service.
- Click on “Security Groups” from the left-hand menu.
- Select the security group that needs to be remediated.
- Click on the “Inbound Rules” tab.
- Identify the inbound rule(s) that allow traffic from RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).
- Click on the “Edit” button for the rule that needs to be remediated.
- Change the “Source” field to a specific IP address or range that is allowed to access the resource(s) protected by the security group.
- Alternatively, you can also change the “Source” field to “Custom” and enter an IP address or range that is not part of RFC 1918.
- Click on the “Save rules” button to apply the changes.
After following these steps, the security group will no longer allow inbound traffic from RFC 1918 addresses.
To remediate the misconfiguration “Security Groups Should Not Allow Inbound Traffic From RFC 1918” for AWS using AWS CLI, you can follow the below steps:
Step 1: Identify the Security Group(s) that allow inbound traffic from RFC 1918 IP addresses.
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
This command will list all the security groups that allow inbound traffic from RFC 1918 IP addresses.
Step 2: Revoke the Inbound Rule from the Security Group(s) identified in Step 1.
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --cidr <RFC 1918 IP address range>
Replace <security-group-id>
with the ID of the security group, <port-number>
with the port number that is open to RFC 1918 IP addresses, and <RFC 1918 IP address range>
with the appropriate RFC 1918 IP address range.
Repeat this command for each security group identified in Step 1.
Step 3: Verify that the Inbound Rule has been revoked.
aws ec2 describe-security-groups --group-id <security-group-id> --query "SecurityGroups[*].IpPermissions[*].{Protocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,IPRange:CidrIp}"
Replace <security-group-id>
with the ID of the security group.
This command will list all the inbound rules for the security group. Verify that the rule allowing inbound traffic from RFC 1918 IP addresses has been revoked.
Repeat this command for each security group identified in Step 1.
By following these steps, you can remediate the misconfiguration “Security Groups Should Not Allow Inbound Traffic From RFC 1918” for AWS using AWS CLI.
To remediate the misconfiguration of Security Groups allowing inbound traffic from RFC 1918 in AWS using Python, follow these steps:
- List all the security groups in your AWS account using the
describe_security_groups
method from theboto3
library.
import boto3
client = boto3.client('ec2')
response = client.describe_security_groups()
security_groups = response['SecurityGroups']
- Iterate through the security groups and for each security group, check if it allows inbound traffic from RFC 1918. If it does, update the security group to remove the rule.
for sg in security_groups:
for rule in sg['IpPermissions']:
if 'IpRanges' in rule:
for ip_range in rule['IpRanges']:
if 'Description' in ip_range and 'RFC 1918' in ip_range['Description']:
sg_id = sg['GroupId']
protocol = rule['IpProtocol']
from_port = rule['FromPort']
to_port = rule['ToPort']
cidr_ip = ip_range['CidrIp']
client.revoke_security_group_ingress(
GroupId=sg_id,
IpPermissions=[
{
'IpProtocol': protocol,
'FromPort': from_port,
'ToPort': to_port,
'IpRanges': [
{
'CidrIp': cidr_ip,
'Description': 'Removed RFC 1918 rule'
},
],
},
],
)
- After running the script, all the security groups that allow inbound traffic from RFC 1918 will be updated to remove the rule.
Note: Before running the script, make sure you have the necessary permissions to modify security groups in your AWS account.