AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Unrestricted HTTPS Access Should Not Be Allowed
More Info:
No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).
Risk Level
Low
Address
Security
Compliance Standards
AWSWAF, SOC2, GDPR
Triage and Remediation
Remediation
To remediate the “Unrestricted HTTPS Access Should Not Be Allowed” misconfiguration in AWS, you can follow these steps:
- Log in to the AWS Management Console.
- Navigate to the AWS EC2 service.
- Click on the “Security Groups” option from the left-hand menu.
- Select the security group that is associated with the instance(s) that have unrestricted HTTPS access.
- Click on the “Inbound Rules” tab.
- Locate the HTTPS rule that has unrestricted access (i.e., source is set to “0.0.0.0/0” or ”::/0”).
- Click on the “Edit” button for the rule.
- Change the source to a more restrictive IP range or security group that requires HTTPS access.
- Click on the “Save Rules” button to apply the changes.
Note: If you are unsure which security group is associated with the instance(s) that have unrestricted HTTPS access, you can view the instance details to find the security group ID and then navigate to the Security Groups section to find the security group.
To remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI, follow these steps:
Step 1: Open the AWS CLI in your terminal or command prompt.
Step 2: Run the following command to list all the security groups in your AWS account:
aws ec2 describe-security-groups
Step 3: Identify the security group(s) that have unrestricted HTTPS access allowed.
Step 4: Run the following command to remove the HTTPS access rule from the identified security group(s):
aws ec2 revoke-security-group-ingress --group-id <security_group_id> --protocol tcp --port 443 --cidr 0.0.0.0/0
Note: Replace <security_group_id> with the actual ID of the security group that needs to be remediated.
Step 5: Verify that the HTTPS access rule has been removed by running the following command:
aws ec2 describe-security-groups --group-id <security_group_id>
Note: Replace <security_group_id> with the actual ID of the security group that was remediated.
Step 6: Repeat the above steps for all the security groups that have unrestricted HTTPS access allowed.
By following the above steps, you can remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI.
To remediate the unrestricted HTTPS access issue in AWS using Python, you can follow the below steps:
- Identify the Security Group(s) which are allowing unrestricted HTTPS access.
- Using the AWS SDK for Python (Boto3), modify the inbound rules of the identified Security Group(s) to allow HTTPS access only from trusted sources.
- Create a script to automate this process for all the Security Group(s) in your AWS account.
Here is a sample Python code to remediate the issue:
import boto3
# Define the AWS region and security group id
region = 'us-east-1'
security_group_id = 'sg-0123456789abcdef'
# Create an EC2 client
ec2 = boto3.client('ec2', region_name=region)
# Get the existing inbound rules of the security group
response = ec2.describe_security_groups(GroupIds=[security_group_id])
# Modify the inbound rules to allow HTTPS access only from trusted sources
ec2.authorize_security_group_ingress(
GroupId=security_group_id,
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 443,
'ToPort': 443,
'IpRanges': [
{
'CidrIp': 'trusted_ip_address/32'
}
]
}
]
)
Note: Replace the region and security_group_id variables with your own values. Also, replace the trusted_ip_address with the IP address(es) of the trusted sources that should be allowed HTTPS access.