More Info:

No EC2 security group should allow unrestricted inbound access to any Non-HTTP Ports.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, NIST, PCIDSS, AWSWAF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS, you can follow the below steps:
  1. Log in to your AWS console and navigate to the EC2 dashboard.
  2. Select the EC2 instance(s) for which you want to remediate the misconfiguration.
  3. Click on the “Security Groups” option under the “Description” tab.
  4. Identify the security group that is associated with the selected instance(s).
  5. Click on the “Inbound Rules” tab and identify the rule(s) that allow unrestricted inbound access on Non-HTTP Ports.
  6. Select the rule(s) and click on the “Edit” button.
  7. Change the “Source” field to limit the inbound access to specific IP addresses or CIDR blocks.
  8. Alternatively, you can also choose to restrict access to specific ports by changing the “Port Range” field.
  9. Click on the “Save” button to save the changes.
By following these steps, you can remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS.

To remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS using AWS CLI, you can follow the below steps:
  1. Identify the security group that has unrestricted inbound access on all Non-HTTP Ports.
  2. Use the AWS CLI command to update the security group to restrict inbound access.
  3. Verify that the security group is updated successfully.
The following is a step-by-step guide on how to remediate the misconfiguration:Step 1: Identify the security group that has unrestricted inbound access on all Non-HTTP Ports.You can use the AWS CLI command to list all the security groups in your AWS account:
aws ec2 describe-security-groups
This command will list all the security groups in your AWS account along with their details.Identify the security group that has unrestricted inbound access on all Non-HTTP Ports. You can identify it by checking the inbound rules of each security group.Step 2: Use the AWS CLI command to update the security group to restrict inbound access.Once you have identified the security group that has unrestricted inbound access on all Non-HTTP Ports, you can use the following AWS CLI command to update the security group to restrict inbound access:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-range> --cidr <ip-address>
Replace <security-group-id> with the ID of the security group that you want to update, <port-range> with the port range that you want to restrict, and <ip-address> with the IP address range that you want to restrict.For example, if you want to restrict inbound access to port 22 (SSH) for the security group with ID sg-0123456789abcdef0, you can use the following command:
aws ec2 revoke-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0
This command will revoke the inbound rule that allows unrestricted access to port 22 for all IP addresses.Step 3: Verify that the security group is updated successfully.You can use the following AWS CLI command to describe the security group and verify that the inbound rule is revoked successfully:
aws ec2 describe-security-groups --group-ids <security-group-id>
Replace <security-group-id> with the ID of the security group that you updated.This command will describe the security group and show the inbound rules for the security group. Verify that the inbound rule that allows unrestricted access to the uncommon port is revoked successfully.Repeat the above steps for all the security groups that have unrestricted inbound access on Non-HTTP Ports.
To remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS using Python, you can follow the below steps:Step 1: Install the Boto3 library for Python using the following command:
!pip install boto3
Step 2: Create an AWS session using the following code:
import boto3

session = boto3.Session(
    aws_access_key_id='ACCESS_KEY',
    aws_secret_access_key='SECRET_KEY',
    region_name='REGION_NAME'
)
Step 3: Get the list of all security groups in your AWS account using the following code:
ec2_client = session.client('ec2')
response = ec2_client.describe_security_groups()
Step 4: Loop through all the security groups and check if they have any inbound rules with port numbers other than the common ports (e.g., 80, 443, 22, etc.). If any such rules are found, delete them using the following code:
for sg in response['SecurityGroups']:
    for rule in sg['IpPermissions']:
        if 'FromPort' in rule and 'ToPort' in rule:
            if rule['FromPort'] not in [80, 443, 22] and rule['ToPort'] not in [80, 443, 22]:
                ec2_client.revoke_security_group_ingress(
                    GroupId=sg['GroupId'],
                    IpPermissions=[rule]
                )
Step 5: Once all the security groups have been checked and updated, print a message indicating that the remediation process is complete:
print("Security group remediation complete!")
Overall, the above steps will help remediate the misconfiguration of unrestricted inbound access on all Non-HTTP Ports in AWS using Python.

Additional Reading: