More Info:

No security group should allow unrestricted inbound access using Internet Control Message Protocol (ICMP).

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the “Unrestricted ICMP Access Should Not Be Allowed” misconfiguration in AWS using the AWS console, you can follow the below steps:
  1. Log in to the AWS Management Console and navigate to the EC2 Dashboard.
  2. Click on the “Security Groups” option from the left-hand menu.
  3. Select the security group that has unrestricted ICMP access.
  4. Click on the “Inbound Rules” tab.
  5. Locate the rule that allows all ICMP traffic (Protocol: ICMP, Port Range: All).
  6. Click on the “Edit” button for that rule.
  7. Change the “Source” field to a specific IP range or security group that requires access to ICMP traffic. If you want to allow ICMP traffic from any IP address, you can select “My IP” option.
  8. Click on the “Save” button to apply the changes.
Once the above steps are completed, the ICMP traffic will be restricted to the specified IP range or security group.

To remediate the unrestricted ICMP access issue in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI or AWS Management Console.
  2. Identify the security group that has unrestricted ICMP access. You can use the following command to list all the security groups in your AWS account: 
aws ec2 describe-security-groups
  1. Once you have identified the security group, use the following command to revoke the ICMP access rule:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol icmp
Replace <security-group-id> with the ID of the security group that has unrestricted ICMP access.
  1. Verify that the ICMP access rule has been revoked by running the following command:
aws ec2 describe-security-groups --group-ids <security-group-id>
This should return the details of the security group, which should no longer have the ICMP access rule.
  1. Repeat the above steps for all the security groups that have unrestricted ICMP access.
By following these steps, you can remediate the unrestricted ICMP access issue in AWS using AWS CLI.
To remediate the misconfiguration of unrestricted ICMP access in AWS using Python, you can follow these steps:
  1. Identify the security group(s) that allow unrestricted ICMP access.
  2. Use the AWS SDK for Python (Boto3) to modify the security group(s) and remove the rule that allows unrestricted ICMP access.
Here’s an example Python code snippet that you can use to remediate the misconfiguration:
import boto3

# Initialize the Boto3 client
ec2 = boto3.client('ec2')

# Define the security group ID(s) that allow unrestricted ICMP access
security_group_ids = ['sg-0123456789abcdefg', 'sg-abcdef0123456789']

# Loop through the security group IDs and remove the rule that allows unrestricted ICMP access
for sg_id in security_group_ids:
    # Describe the security group
    response = ec2.describe_security_groups(GroupIds=[sg_id])
    security_group = response['SecurityGroups'][0]

    # Loop through the inbound rules and remove the rule that allows unrestricted ICMP access
    for rule in security_group['IpPermissions']:
        if rule['IpProtocol'] == 'icmp' and rule['IpRanges'] == [{'CidrIp': '0.0.0.0/0'}]:
            ec2.revoke_security_group_ingress(
                GroupId=sg_id,
                IpPermissions=[{
                    'IpProtocol': 'icmp',
                    'IpRanges': [{'CidrIp': '0.0.0.0/0'}],
                    'UserIdGroupPairs': [],
                    'PrefixListIds': [],
                    'Ipv6Ranges': []
                }]
            )
Note: Replace the security_group_ids with the actual security group IDs that allow unrestricted ICMP access.

Additional Reading: