More Info:

No AWS EC2 security group should allow unrestricted inbound access to TCP port 3389 (RDP).

Risk Level

Medium

Address

Security

Compliance Standards

CISAWS, CBP, SOC2, PCIDSS, HITRUST, AWSWAF, GDPR, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the unrestricted RDP access issue in AWS, you can follow these steps:
  1. Login to the AWS Management Console.
  2. Navigate to the EC2 service.
  3. Select the EC2 instance(s) for which you want to restrict RDP access.
  4. Click on the “Security Groups” tab in the bottom pane.
  5. Select the security group(s) associated with the instance(s).
  6. Click on the “Inbound Rules” tab.
  7. Locate the rule that allows RDP access from any IP address (0.0.0.0/0).
  8. Click on the “Edit” button next to the rule.
  9. Change the source IP address to a specific IP address or range of IP addresses that are allowed to access RDP.
  10. Click on the “Save” button to apply the changes.
  11. Repeat these steps for all instances that have unrestricted RDP access.
By following these steps, you can remediate the unrestricted RDP access issue in AWS and restrict RDP access to specific IP addresses only.

To remediate the unrestricted RDP access in AWS, you can follow the below steps using AWS CLI:
  1. Open the AWS CLI on your local machine.
  2. Run the below command to list all the security groups in your AWS account. 
aws ec2 describe-security-groups
  1. Identify the security group that allows unrestricted RDP access.
  2. Run the below command to revoke the inbound rule that allows unrestricted RDP access. 
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr 0.0.0.0/0
Note: Replace <security-group-id> with the ID of the security group identified in step 3.
  1. Verify that the inbound rule has been revoked by running the below command.
aws ec2 describe-security-groups --group-ids <security-group-id>
Note: Replace <security-group-id> with the ID of the security group identified in step 3.
  1. Repeat steps 3 to 5 for all the security groups that allow unrestricted RDP access.
By following the above steps, you can remediate the unrestricted RDP access in AWS.
To remediate unrestricted RDP access in AWS using Python, you can follow these steps:
  1. Import the necessary AWS SDK libraries in your Python script. You can use the Boto3 library to interact with AWS services.
import boto3
  1. Initialize the EC2 client using the Boto3 library.
ec2 = boto3.client('ec2')
  1. Use the describe_security_groups method to get a list of all security groups in your AWS account.
response = ec2.describe_security_groups()
security_groups = response['SecurityGroups']
  1. Loop through the security groups and check if any of them have an inbound rule allowing unrestricted RDP access (port 3389).
for sg in security_groups:
    for rule in sg['IpPermissions']:
        if rule['IpProtocol'] == 'tcp' and rule['FromPort'] == 3389 and rule['ToPort'] == 3389 and rule['IpRanges'] == [{'CidrIp': '0.0.0.0/0'}]:
            # Remove the rule that allows unrestricted RDP access
            ec2.revoke_security_group_ingress(
                GroupId=sg['GroupId'],
                IpPermissions=[rule]
            )
  1. Save the Python script and run it to remove the rule that allows unrestricted RDP access in all security groups in your AWS account.
Note: Make sure you have the necessary permissions to modify security groups in your AWS account before running the script.

Additional Reading: