Unrestricted FTP Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP ports 20 and 21 (FTP).

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the unrestricted FTP access issue in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to list all the security groups in your AWS account:

aws ec2 describe-security-groups

Identify the security group that has unrestricted FTP access.
Run the following command to remove the unrestricted FTP access from the identified security group:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 21 --cidr 0.0.0.0/0

Note: Replace <security-group-id> with the actual ID of the security group that needs to be updated.

Verify that the FTP access has been removed by running the following command:

aws ec2 describe-security-groups --group-ids <security-group-id>

Note: Replace <security-group-id> with the actual ID of the security group that was updated.

Repeat the above steps for all the security groups in your AWS account to ensure that unrestricted FTP access is not allowed in any of them.

By following the above steps, you can remediate the unrestricted FTP access issue in AWS using AWS CLI.

Using Python

To remediate unrestricted FTP access in AWS, you can use the following steps in Python:Step 1: Identify the Security Group with unrestricted FTP access

import boto3
aws_account_id = 'YOUR_AWS_ACCOUNT_ID'
region = 'YOUR_AWS_REGION'
ec2 = boto3.client('ec2', region_name=region)
response = ec2.describe_security_groups()
for sg in response['SecurityGroups']:
    for ip_permission in sg['IpPermissions']:
        if 'FromPort' in ip_permission and ip_permission['FromPort'] == 21 and 'IpRanges' in ip_permission:
            for ip_range in ip_permission['IpRanges']:
                if ip_range['CidrIp'] == '0.0.0.0/0':
                    print('Security Group ID: ', sg['GroupId'])

This code will list all the security groups that have unrestricted FTP access.Step 2: Update the Security Group to restrict FTP access

import boto3
aws_account_id = 'YOUR_AWS_ACCOUNT_ID'
region = 'YOUR_AWS_REGION'
ec2 = boto3.client('ec2', region_name=region)
security_group_id = 'YOUR_SECURITY_GROUP_ID'
response = ec2.revoke_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 21,
            'ToPort': 21,
            'IpRanges': [
                {
                    'CidrIp': '0.0.0.0/0'
                },
            ],
        },
    ],
)

This code will restrict FTP access to the specified security group.Step 3: Verify that FTP access is restricted

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5)
try:
    s.connect(('FTP_SERVER_IP', 21))
    print('FTP access is still unrestricted')
except:
    print('FTP access is restricted')
s.close()

This code will verify that FTP access is restricted by attempting to connect to the FTP server. If the connection fails, it means that FTP access is restricted.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted FTP Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: