Security group rfc remediation

Using Console

Using CLI

To remediate the misconfiguration “Security Groups Should Not Allow Inbound Traffic From RFC 1918” for AWS using AWS CLI, you can follow the below steps:Step 1: Identify the Security Group(s) that allow inbound traffic from RFC 1918 IP addresses.

aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

This command will list all the security groups that allow inbound traffic from RFC 1918 IP addresses.Step 2: Revoke the Inbound Rule from the Security Group(s) identified in Step 1.

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --cidr <RFC 1918 IP address range>

Replace <security-group-id> with the ID of the security group, <port-number> with the port number that is open to RFC 1918 IP addresses, and <RFC 1918 IP address range> with the appropriate RFC 1918 IP address range.Repeat this command for each security group identified in Step 1.Step 3: Verify that the Inbound Rule has been revoked.

aws ec2 describe-security-groups --group-id <security-group-id> --query "SecurityGroups[*].IpPermissions[*].{Protocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,IPRange:CidrIp}"

Replace <security-group-id> with the ID of the security group.This command will list all the inbound rules for the security group. Verify that the rule allowing inbound traffic from RFC 1918 IP addresses has been revoked.Repeat this command for each security group identified in Step 1.By following these steps, you can remediate the misconfiguration “Security Groups Should Not Allow Inbound Traffic From RFC 1918” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration of Security Groups allowing inbound traffic from RFC 1918 in AWS using Python, follow these steps:

List all the security groups in your AWS account using the describe_security_groups method from the boto3 library.

import boto3

client = boto3.client('ec2')

response = client.describe_security_groups()
security_groups = response['SecurityGroups']

Iterate through the security groups and for each security group, check if it allows inbound traffic from RFC 1918. If it does, update the security group to remove the rule.

for sg in security_groups:
    for rule in sg['IpPermissions']:
        if 'IpRanges' in rule:
            for ip_range in rule['IpRanges']:
                if 'Description' in ip_range and 'RFC 1918' in ip_range['Description']:
                    sg_id = sg['GroupId']
                    protocol = rule['IpProtocol']
                    from_port = rule['FromPort']
                    to_port = rule['ToPort']
                    cidr_ip = ip_range['CidrIp']
                    client.revoke_security_group_ingress(
                        GroupId=sg_id,
                        IpPermissions=[
                            {
                                'IpProtocol': protocol,
                                'FromPort': from_port,
                                'ToPort': to_port,
                                'IpRanges': [
                                    {
                                        'CidrIp': cidr_ip,
                                        'Description': 'Removed RFC 1918 rule'
                                    },
                                ],
                            },
                        ],
                    )

After running the script, all the security groups that allow inbound traffic from RFC 1918 will be updated to remove the rule.

Note: Before running the script, make sure you have the necessary permissions to modify security groups in your AWS account.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Security group rfc remediation

Triage and Remediation

Remediation