More Info:

No security group should allow unrestricted inbound access to TCP port 22 (SSH).

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, PCIDSS, NIST, SOC2, CISAWS, CBP, HITRUST, AWSWAF, GDPR, NISTCSF, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the unrestricted SSH access misconfiguration in AWS using the AWS console, you can follow these steps:
  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 service.
  3. Select the EC2 instance(s) that have unrestricted SSH access.
  4. Click on the “Actions” button and select “Networking” and then “Change Security Groups”.
  5. In the “Change Security Groups” window, select the security group associated with the instance(s) and click “Edit”.
  6. In the “Edit inbound rules” window, locate the SSH rule (port 22) and remove it or restrict it to only allow traffic from specific IP addresses or ranges.
  7. Click “Save” to apply the changes.
Once you have completed these steps, the unrestricted SSH access misconfiguration will be remediated and the instance(s) will be more secure.

To remediate unrestricted SSH access in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Run the following command to list all the security groups in your AWS account: 
aws ec2 describe-security-groups
  1. Identify the security group that allows unrestricted SSH access. You can look for a security group that has a rule allowing SSH traffic from 0.0.0.0/0 (any IP address) or ::/0 (any IPv6 address).
  2. Once you have identified the security group, note down its Group ID.
  3. Run the following command to revoke the SSH access rule from the security group: 
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 22 --cidr 0.0.0.0/0
Replace <security-group-id> with the Group ID of the security group that allows unrestricted SSH access.
  1. Verify that the SSH access rule has been revoked by running the following command:
aws ec2 describe-security-groups --group-ids <security-group-id>
Replace <security-group-id> with the Group ID of the security group that allows unrestricted SSH access.
  1. Repeat the above steps for all the security groups in your AWS account to ensure that SSH access is not allowed from any unauthorized IP addresses.
To remediate the unrestricted SSH access issue in AWS using Python, follow these steps:
  1. Import the necessary AWS SDKs and libraries in your Python script. You will need to import the boto3 library to interact with AWS services.
import boto3
  1. Create a client session for EC2 using boto3.client().
ec2 = boto3.client('ec2')
  1. Use the describe_security_groups() method to retrieve all the security groups in your AWS account.
security_groups = ec2.describe_security_groups()
  1. Loop through each security group and check if it has any inbound rules allowing SSH access from any IP address (0.0.0.0/0).
for sg in security_groups['SecurityGroups']:
    for rule in sg['IpPermissions']:
        if rule['IpProtocol'] == 'tcp' and rule['FromPort'] <= 22 and rule['ToPort'] >= 22:
            for ip_range in rule['IpRanges']:
                if ip_range['CidrIp'] == '0.0.0.0/0':
                    print(f"Security group {sg['GroupId']} allows unrestricted SSH access.")
  1. If any security group is found to have unrestricted SSH access, use the revoke_security_group_ingress() method to remove the rule allowing SSH access from any IP address.
ec2.revoke_security_group_ingress(
    GroupId=sg['GroupId'],
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 22,
            'ToPort': 22,
            'IpRanges': [
                {
                    'CidrIp': '0.0.0.0/0'
                }
            ]
        }
    ]
)
  1. Run the Python script to remediate the unrestricted SSH access issue in your AWS account.
Note: Make sure to run the script with appropriate AWS credentials and permissions.

Additional Reading: