Unrestricted HTTPS Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).

Risk Level

Low

Address

Security

Compliance Standards

AWSWAF, SOC2, GDPR

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI, follow these steps:Step 1: Open the AWS CLI in your terminal or command prompt.Step 2: Run the following command to list all the security groups in your AWS account:

aws ec2 describe-security-groups

Step 3: Identify the security group(s) that have unrestricted HTTPS access allowed.Step 4: Run the following command to remove the HTTPS access rule from the identified security group(s):

aws ec2 revoke-security-group-ingress --group-id <security_group_id> --protocol tcp --port 443 --cidr 0.0.0.0/0

Note: Replace <security_group_id> with the actual ID of the security group that needs to be remediated.Step 5: Verify that the HTTPS access rule has been removed by running the following command:

aws ec2 describe-security-groups --group-id <security_group_id>

Note: Replace <security_group_id> with the actual ID of the security group that was remediated.Step 6: Repeat the above steps for all the security groups that have unrestricted HTTPS access allowed.By following the above steps, you can remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI.

Using Python

To remediate the unrestricted HTTPS access issue in AWS using Python, you can follow the below steps:

Identify the Security Group(s) which are allowing unrestricted HTTPS access.
Using the AWS SDK for Python (Boto3), modify the inbound rules of the identified Security Group(s) to allow HTTPS access only from trusted sources.
Create a script to automate this process for all the Security Group(s) in your AWS account.

Here is a sample Python code to remediate the issue:

import boto3

# Define the AWS region and security group id
region = 'us-east-1'
security_group_id = 'sg-0123456789abcdef'

# Create an EC2 client
ec2 = boto3.client('ec2', region_name=region)

# Get the existing inbound rules of the security group
response = ec2.describe_security_groups(GroupIds=[security_group_id])

# Modify the inbound rules to allow HTTPS access only from trusted sources
ec2.authorize_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 443,
            'ToPort': 443,
            'IpRanges': [
                {
                    'CidrIp': 'trusted_ip_address/32'
                }
            ]
        }
    ]
)

Note: Replace the region and security_group_id variables with your own values. Also, replace the trusted_ip_address with the IP address(es) of the trusted sources that should be allowed HTTPS access.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted HTTPS Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: