Ensure AWS Security Group does not allow all traffic on SSH port 22

Error: AWS Security Group allows all traffic on SSH port 22

Bridgecrew Policy ID: BC_AWS_NETWORKING_1
Checkov Check ID: CKV_AWS_24
Severity: LOW

AWS Security Group allows all traffic on SSH port 22

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Fix - Runtime

AWS Console

To implement the prescribed state, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon VPC console.
  3. In the left pane, click Security Groups.
  4. For each security group, perform the following:
    a) Select the security group.
    b) Click Inbound Rules.
    c) Identify the rules to be removed.
    d) Click X in the Remove column.
  5. Click Save.

CLI Command

  1. Review the rules for an existing security group (Replacing the security group ID and region).
aws ec2 describe-security-groups
--group-ids sg-xxxxxxxxxxxxxxxxx
--region us-east-1
  1. Review and EC2 instances using the security group.
aws ec2 describe-instances
--filters Name=instance.group-id,Values=sg-xxxxxxxxxxxxxxxxx
--region us-east-1

Fix - Buildtime

Terraform

  • Resource: aws_security_group
  • Argument:
resource "aws_security_group" "example" {
...
ingress {
    cidr_blocks = [
-     "0.0.0.0/0"
+     "10.0.0.1/32"
    ]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
}

CloudFormation

  • Resource: AWS::EC2::SecurityGroup
  • Argument: Properties.SecurityGroupIngress
Type: AWS::EC2::SecurityGroup
    Properties:
      ...
      SecurityGroupIngress:
      - Description: SSH Ingress
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
-       CidrIp: "0.0.0.0/0"
+       CidrIp: "10.10.10.0/24"