Unrestricted Inbound Access on All Non-HTTP Ports Should Not Be Allowed

More Info:

No EC2 security group should allow unrestricted inbound access to any Non-HTTP Ports.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, NIST, PCIDSS, AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS using AWS CLI, you can follow the below steps:

Identify the security group that has unrestricted inbound access on all Non-HTTP Ports.
Use the AWS CLI command to update the security group to restrict inbound access.
Verify that the security group is updated successfully.

The following is a step-by-step guide on how to remediate the misconfiguration:Step 1: Identify the security group that has unrestricted inbound access on all Non-HTTP Ports.You can use the AWS CLI command to list all the security groups in your AWS account:

aws ec2 describe-security-groups

This command will list all the security groups in your AWS account along with their details.Identify the security group that has unrestricted inbound access on all Non-HTTP Ports. You can identify it by checking the inbound rules of each security group.Step 2: Use the AWS CLI command to update the security group to restrict inbound access.Once you have identified the security group that has unrestricted inbound access on all Non-HTTP Ports, you can use the following AWS CLI command to update the security group to restrict inbound access:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-range> --cidr <ip-address>

Replace <security-group-id> with the ID of the security group that you want to update, <port-range> with the port range that you want to restrict, and <ip-address> with the IP address range that you want to restrict.For example, if you want to restrict inbound access to port 22 (SSH) for the security group with ID sg-0123456789abcdef0, you can use the following command:

aws ec2 revoke-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0

This command will revoke the inbound rule that allows unrestricted access to port 22 for all IP addresses.Step 3: Verify that the security group is updated successfully.You can use the following AWS CLI command to describe the security group and verify that the inbound rule is revoked successfully:

aws ec2 describe-security-groups --group-ids <security-group-id>

Replace <security-group-id> with the ID of the security group that you updated.This command will describe the security group and show the inbound rules for the security group. Verify that the inbound rule that allows unrestricted access to the uncommon port is revoked successfully.Repeat the above steps for all the security groups that have unrestricted inbound access on Non-HTTP Ports.

Using Python

To remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS using Python, you can follow the below steps:Step 1: Install the Boto3 library for Python using the following command:

!pip install boto3

Step 2: Create an AWS session using the following code:

import boto3

session = boto3.Session(
    aws_access_key_id='ACCESS_KEY',
    aws_secret_access_key='SECRET_KEY',
    region_name='REGION_NAME'
)

Step 3: Get the list of all security groups in your AWS account using the following code:

ec2_client = session.client('ec2')
response = ec2_client.describe_security_groups()

Step 4: Loop through all the security groups and check if they have any inbound rules with port numbers other than the common ports (e.g., 80, 443, 22, etc.). If any such rules are found, delete them using the following code:

for sg in response['SecurityGroups']:
    for rule in sg['IpPermissions']:
        if 'FromPort' in rule and 'ToPort' in rule:
            if rule['FromPort'] not in [80, 443, 22] and rule['ToPort'] not in [80, 443, 22]:
                ec2_client.revoke_security_group_ingress(
                    GroupId=sg['GroupId'],
                    IpPermissions=[rule]
                )

Step 5: Once all the security groups have been checked and updated, print a message indicating that the remediation process is complete:

print("Security group remediation complete!")

Overall, the above steps will help remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRuleshttps://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted Inbound Access on All Non-HTTP Ports Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: