AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 Instance Should Not Have Open ICMP ports
More Info:
ICMP ports should not be open for EC2 instances.
Risk Level
Medium
Address
Security
Compliance Standards
NIST
Triage and Remediation
Remediation
To remediate the misconfiguration of an EC2 instance having open ICMP ports in AWS Security Groups, follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console.
- Navigate to the EC2 dashboard.
- In the navigation pane, choose “Security Groups.”
- Select the security group associated with the EC2 instance that has open ICMP ports.
- In the “Inbound rules” tab, locate the rule that allows ICMP traffic (Protocol: ICMP) with any source (0.0.0.0/0 or ::/0).
- Select the rule by checking the box next to it.
- Click on the “Actions” dropdown menu and choose “Edit inbound rules.”
- In the Edit inbound rules dialog box, locate the ICMP rule and click on the “X” icon to remove it.
- Click the “Save rules” button to apply the changes.
By following these steps, you have remediated the misconfiguration of the EC2 instance having open ICMP ports in the AWS Security Group. Now, the instance will no longer allow ICMP traffic from any source.
To remediate the open ICMP ports on an EC2 instance in AWS using AWS CLI, you can follow these steps:
-
Identify the Security Group associated with the EC2 instance that has the open ICMP ports:
Run the following AWS CLI command to describe the security groups associated with the EC2 instance:
aws ec2 describe-instances --instance-ids <instance-id> --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text
Replace
<instance-id>
with the actual ID of the EC2 instance. -
Identify the inbound rules in the Security Group that allow ICMP traffic:
Run the following AWS CLI command to describe the inbound rules of the Security Group:
aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[*].IpPermissions[]'
Replace
<security-group-id>
with the Security Group ID obtained in the previous step. -
Revoke the inbound rule that allows ICMP traffic:
Run the following AWS CLI command to revoke the inbound rule that allows ICMP traffic (replace the actual values for Protocol, Port Range, and CIDR IP based on the output from the previous step):
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol icmp --port <port-range> --cidr <cidr-ip>
-
Verify that the inbound rule allowing ICMP traffic has been revoked:
Run the following AWS CLI command to describe the inbound rules of the Security Group again and verify that the rule allowing ICMP traffic is no longer present:
aws ec2 describe-security-groups --group-ids <security-group-id> --query 'SecurityGroups[*].IpPermissions[]'
By following these steps, you can successfully remediate the open ICMP ports on an EC2 instance in AWS by using AWS CLI.
To remediate the misconfiguration of an EC2 instance having open ICMP ports in AWS Security Groups using Python, you can follow these steps:
- Install the Boto3 library using pip if you haven’t already:
pip install boto3
- Use the following Python script to identify and revoke the ingress rule that allows ICMP traffic in the specified security group:
import boto3
# Initialize the EC2 client
ec2 = boto3.client('ec2')
# Specify the security group ID that needs to be remediated
security_group_id = 'YOUR_SECURITY_GROUP_ID'
# Describe the security group to get the current ingress rules
response = ec2.describe_security_groups(GroupIds=[security_group_id])
ingress_rules = response['SecurityGroups'][0]['IpPermissions']
# Revoke any ingress rule that allows ICMP traffic
for rule in ingress_rules:
if 'IpProtocol' in rule and rule['IpProtocol'] == 'icmp':
ec2.revoke_security_group_ingress(
GroupId=security_group_id,
IpPermissions=[rule]
)
print(f"Revoked ICMP rule in security group: {security_group_id}")
-
Replace
'YOUR_SECURITY_GROUP_ID'
with the actual ID of the security group that needs to be remediated. -
Run the Python script, and it will revoke any ingress rule that allows ICMP traffic in the specified security group.
By following these steps, you can remediate the misconfiguration of an EC2 instance having open ICMP ports in AWS Security Groups using Python.