Unrestricted HTTP Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP port 80 (HTTP).

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Unrestricted HTTP Access Should Not Be Allowed” misconfiguration in AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine.
Run the following command to list all the security groups in your AWS account:
```
aws ec2 describe-security-groups
```
Identify the security group that has unrestricted HTTP access. You can do this by looking for security groups that have port 80 open to the entire internet (0.0.0.0/0).
Once you have identified the security group, run the following command to update the inbound rules of the security group to only allow HTTP access from specific IP addresses or CIDR blocks:
```
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
```
Note: Replace <security-group-id> with the ID of the security group that you want to remediate.
After running the above command, you can verify that the inbound rule for port 80 has been updated by running the following command:
```
aws ec2 describe-security-groups --group-ids <security-group-id>
```
Note: Replace <security-group-id> with the ID of the security group that you updated.
Verify that the inbound rule for port 80 is now restricted to specific IP addresses or CIDR blocks.

By following the above steps, you can remediate the “Unrestricted HTTP Access Should Not Be Allowed” misconfiguration in AWS using AWS CLI.

Using Python

To remediate the unrestricted HTTP access misconfiguration in AWS using Python, you can follow these steps:

Identify the security group(s) associated with the EC2 instance(s) that have unrestricted HTTP access.
Use the AWS SDK for Python (boto3) to modify the inbound rules of the security group(s) to allow HTTP access only from trusted sources.

Here’s a sample Python code snippet to remediate the misconfiguration:

import boto3

# Replace <SECURITY_GROUP_ID> with the ID of the security group that needs to be remediated
security_group_id = '<SECURITY_GROUP_ID>'

# Create an EC2 client
ec2 = boto3.client('ec2')

# Get the current inbound rules of the security group
response = ec2.describe_security_groups(GroupIds=[security_group_id])
current_rules = response['SecurityGroups'][0]['IpPermissions']

# Modify the inbound rules to allow HTTP access only from trusted sources
new_rules = [
    {
        'IpProtocol': 'tcp',
        'FromPort': 80,
        'ToPort': 80,
        'IpRanges': [
            {
                'CidrIp': '<TRUSTED_CIDR>',
                'Description': 'Allow HTTP access from trusted source'
            }
        ]
    }
]

# Revoke the existing rules and authorize the new rules
ec2.revoke_security_group_ingress(GroupId=security_group_id, IpPermissions=current_rules)
ec2.authorize_security_group_ingress(GroupId=security_group_id, IpPermissions=new_rules)

In the above code, replace <SECURITY_GROUP_ID> with the ID of the security group that needs to be remediated and <TRUSTED_CIDR> with the CIDR block of the trusted source that should have HTTP access to the EC2 instance(s).Note: Make sure to test this code in a non-production environment before applying it to a production environment.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted HTTP Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: