AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
EC2 instances Should Not Be Publicly Accessible
More Info:
Unknown EC2 instances should not be publicly accessible. It is good practice to maintain a list of known, publicly accessible instances and flag all other instances that meet this criteria.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, NIST, SOC2
Triage and Remediation
Remediation
To remediate the misconfiguration of EC2 instances being publicly accessible in AWS Security Groups, follow these steps using the AWS Management Console:
-
Login to AWS Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and log in to your account.
-
Navigate to EC2 Dashboard: Go to the EC2 Dashboard by clicking on the “Services” dropdown menu at the top left corner, selecting “EC2” under the Compute section.
-
Identify the EC2 Instance: Identify the EC2 instance(s) that are publicly accessible. You can do this by checking the “Instance State” and “Instance Type” columns in the EC2 Dashboard.
-
Identify Security Group: Click on the EC2 instance that you want to remediate and scroll down to the “Description” tab. Under the Security group section, you will see the security group associated with the EC2 instance.
-
Edit Security Group Rules: Click on the security group associated with the EC2 instance. This will take you to the “Inbound” tab of the security group.
-
Remove Public Access: Identify the rule that allows public access (e.g., SSH port 22 or HTTP port 80) and click on the “Edit” button.
-
Modify Rule: In the Edit inbound rules window, select the rule that allows public access and click on the “Delete” button to remove it.
-
Save Changes: Click on the “Save rules” button to apply the changes to the security group.
-
Verify Changes: Go back to the EC2 Dashboard, select the EC2 instance, and verify that it is no longer publicly accessible by checking the public IP address field.
-
Repeat for Other Instances: Repeat the above steps for any other EC2 instances that are publicly accessible.
By following these steps, you have successfully remediated the misconfiguration of EC2 instances being publicly accessible in AWS Security Groups.
To remediate the issue of EC2 instances being publicly accessible in AWS using the AWS CLI, follow these steps:
- Identify the security group associated with the EC2 instance that is publicly accessible. You can do this by describing the instance and noting the security group ID.
aws ec2 describe-instances --instance-ids <instance-id> --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text
- Describe the inbound rules of the identified security group to check if there are any rules allowing public access.
aws ec2 describe-security-groups --group-ids <security-group-id>
- Remove the inbound rule that allows public access (usually with
0.0.0.0/0as the source) using the revoke-security-group-ingress command.
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port <port-number> --cidr 0.0.0.0/0
Replace <security-group-id> with the actual security group ID, <port-number> with the specific port number (e.g., 22 for SSH, 80 for HTTP, 443 for HTTPS), and 0.0.0.0/0 with the appropriate source IP range if needed.
- Verify that the inbound rule has been successfully removed by describing the security group again.
aws ec2 describe-security-groups --group-ids <security-group-id>
By following these steps, you can remediate the issue of EC2 instances being publicly accessible in AWS by updating the security group rules to restrict access as needed.
To remediate the misconfiguration of EC2 instances being publicly accessible in AWS using Python, you can create a script that will update the security group rules to restrict access only to specific IP addresses or ranges. Here are the steps to remediate this issue:
-
Install the Boto3 library:
- Make sure you have the Boto3 library installed in your Python environment. You can install it using pip:
pip install boto3
- Make sure you have the Boto3 library installed in your Python environment. You can install it using pip:
-
Write a Python script to update the security group rules:
-
Use the following Python script as a template to update the security group rules for your EC2 instances:
import boto3 # Initialize the EC2 client ec2 = boto3.client('ec2') # Define the security group ID of the EC2 instance security_group_id = 'your_security_group_id' # Define the IP ranges that should have access to the EC2 instance ip_ranges = [{'CidrIp': 'x.x.x.x/32'}, {'CidrIp': 'y.y.y.y/32'}] # Add your desired IP ranges # Update the security group rules response = ec2.authorize_security_group_ingress( GroupId=security_group_id, IpPermissions=[ { 'IpProtocol': '-1', 'IpRanges': ip_ranges } ] ) print('Security group rules updated successfully.')
-
-
Replace ‘your_security_group_id’ with the actual security group ID of your EC2 instance.
-
Define the IP ranges that should have access to the EC2 instance in the
ip_rangesvariable. -
Run the Python script:
- Save the Python script in a file, for example,
update_security_group.py, and run it using the Python interpreter:python update_security_group.py
- Save the Python script in a file, for example,
-
Verify the changes:
- After running the script, verify that the security group rules have been updated to restrict access to the specified IP ranges only.
By following these steps and customizing the script with your specific security group ID and IP ranges, you can remediate the misconfiguration of EC2 instances being publicly accessible in AWS.