More Info:

No security group should allow unrestricted inbound access to TCP port 135 (RPC).

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, HITRUST, AWSWAF, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the issue of unrestricted RPC access in AWS, you can follow these steps:
  1. Open the AWS Management Console and go to the EC2 dashboard.
  2. Click on the “Security Groups” option in the left-hand menu.
  3. Select the security group that is allowing unrestricted RPC access.
  4. Click on the “Inbound Rules” tab and locate the rule that allows RPC access.
  5. Click on the “Edit” button next to the rule.
  6. Change the source IP address to a specific IP address or range of IP addresses that require access to RPC.
  7. If necessary, add a new rule to allow access to RPC from specific IP addresses or ranges.
  8. Click on the “Save” button to apply the changes.
Once the changes are saved, the security group will no longer allow unrestricted RPC access. It is important to regularly review and update security group rules to ensure that they are properly configured and do not leave any vulnerabilities open to attack.

To remediate the “Unrestricted RPC Access Should Not Be Allowed” misconfiguration in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list the security groups in your AWS account: 
    aws ec2 describe-security-groups
  3. Identify the security group that has the unrestricted RPC access.
  4. Run the following command to modify the security group and remove the unrestricted RPC access: 
    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 111 --cidr 0.0.0.0/0
    Note: Replace <security-group-id> with the ID of the security group that has the unrestricted RPC access.
  5. Run the following command to verify that the unrestricted RPC access has been removed: 
    aws ec2 describe-security-groups --group-ids <security-group-id>
    Note: Replace <security-group-id> with the ID of the security group that has the unrestricted RPC access.
  6. Verify that the remediation was successful by confirming that the security group no longer has unrestricted RPC access.
By following these steps, you can remediate the “Unrestricted RPC Access Should Not Be Allowed” misconfiguration in AWS using AWS CLI.
To remediate the “Unrestricted RPC Access Should Not Be Allowed” issue in AWS using Python, follow the below steps:
  1. First, we need to identify the security group that allows unrestricted RPC access. You can use the following Python code to list all the security groups in your AWS account:
import boto3

ec2 = boto3.client('ec2')

response = ec2.describe_security_groups()
for sg in response['SecurityGroups']:
    print(sg['GroupId'], sg['GroupName'])
  1. Once you have identified the security group that allows unrestricted RPC access, you can use the following Python code to revoke the rule:
import boto3

ec2 = boto3.client('ec2')

response = ec2.revoke_security_group_ingress(
    GroupId='SECURITY_GROUP_ID',
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 135,
            'ToPort': 139,
            'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
        },
        {
            'IpProtocol': 'tcp',
            'FromPort': 445,
            'ToPort': 445,
            'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
        },
        {
            'IpProtocol': 'udp',
            'FromPort': 137,
            'ToPort': 138,
            'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
        }
    ]
)
In the above code, replace ‘SECURITY_GROUP_ID’ with the ID of the security group that allows unrestricted RPC access.
  1. The above code will revoke the rule that allows unrestricted RPC access. You can run the first code again to verify that the rule has been revoked.
Note: The above code assumes that you have the necessary permissions to modify security groups in your AWS account.

Additional Reading: