More Info:

No security group should allow unrestricted inbound access to TCP port 80 (HTTP).

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, AWSWAF

Triage and Remediation

Remediation

Using Console

To remediate the issue of unrestricted HTTP access in AWS, you can follow the below steps:
  1. Login to your AWS console.
  2. Go to the EC2 dashboard.
  3. Click on the “Security Groups” option on the left-hand side menu.
  4. Select the security group that is associated with the instance that has unrestricted HTTP access.
  5. Click on the “Inbound Rules” tab.
  6. Find the rule that allows unrestricted HTTP access (port 80).
  7. Click on the “Edit” button for that rule.
  8. Change the source from “0.0.0.0/0” to a specific IP address or range of IP addresses that you want to allow access from.
  9. Click on the “Save” button to save the changes.
By following these steps, you have remediated the issue of unrestricted HTTP access in AWS by restricting access to a specific IP address or range of IP addresses.

To remediate the “Unrestricted HTTP Access Should Not Be Allowed” misconfiguration in AWS using AWS CLI, you can follow the below steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the security groups in your AWS account: 
    aws ec2 describe-security-groups
  3. Identify the security group that has unrestricted HTTP access. You can do this by looking for security groups that have port 80 open to the entire internet (0.0.0.0/0).
  4. Once you have identified the security group, run the following command to update the inbound rules of the security group to only allow HTTP access from specific IP addresses or CIDR blocks: 
    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 80 --cidr 0.0.0.0/0
    Note: Replace <security-group-id> with the ID of the security group that you want to remediate.
  5. After running the above command, you can verify that the inbound rule for port 80 has been updated by running the following command: 
    aws ec2 describe-security-groups --group-ids <security-group-id>
    Note: Replace <security-group-id> with the ID of the security group that you updated.
  6. Verify that the inbound rule for port 80 is now restricted to specific IP addresses or CIDR blocks.
By following the above steps, you can remediate the “Unrestricted HTTP Access Should Not Be Allowed” misconfiguration in AWS using AWS CLI.
To remediate the unrestricted HTTP access misconfiguration in AWS using Python, you can follow these steps:
  1. Identify the security group(s) associated with the EC2 instance(s) that have unrestricted HTTP access.
  2. Use the AWS SDK for Python (boto3) to modify the inbound rules of the security group(s) to allow HTTP access only from trusted sources.
Here’s a sample Python code snippet to remediate the misconfiguration:
import boto3

# Replace <SECURITY_GROUP_ID> with the ID of the security group that needs to be remediated
security_group_id = '<SECURITY_GROUP_ID>'

# Create an EC2 client
ec2 = boto3.client('ec2')

# Get the current inbound rules of the security group
response = ec2.describe_security_groups(GroupIds=[security_group_id])
current_rules = response['SecurityGroups'][0]['IpPermissions']

# Modify the inbound rules to allow HTTP access only from trusted sources
new_rules = [
    {
        'IpProtocol': 'tcp',
        'FromPort': 80,
        'ToPort': 80,
        'IpRanges': [
            {
                'CidrIp': '<TRUSTED_CIDR>',
                'Description': 'Allow HTTP access from trusted source'
            }
        ]
    }
]

# Revoke the existing rules and authorize the new rules
ec2.revoke_security_group_ingress(GroupId=security_group_id, IpPermissions=current_rules)
ec2.authorize_security_group_ingress(GroupId=security_group_id, IpPermissions=new_rules)
In the above code, replace <SECURITY_GROUP_ID> with the ID of the security group that needs to be remediated and <TRUSTED_CIDR> with the CIDR block of the trusted source that should have HTTP access to the EC2 instance(s).Note: Make sure to test this code in a non-production environment before applying it to a production environment.

Additional Reading: