Ensure Security Groups do not allow ingress from 0.0.0.0/0 to port 3389

Error: Security Groups allow ingress from 0.0.0.0/0 to port 3389

Bridgecrew Policy ID: BC_AWS_NETWORKING_2
Checkov Check ID: CKV_AWS_25
Severity: CRITICAL

Security Groups allow ingress from 0.0.0.0/0 to port 3389

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Rationale

Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Fix - Runtime Remediation

AWS Console

To implement the prescribed state, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon VPC console.
  3. In the left pane, click Security Groups.
  4. For each security group, perform the following:
    a) Select the security group.
    b) Click Inbound Rules.
    c) Identify the rules to be removed.
    d) Click X in the Remove column.
  5. Click Save.

Fix - Buildtime Remediation

Terraform

The issue is the CIDR specified in the ingress control rule - "0.0.0.0/0". Change it from this:

resource "aws_security_group" "example" {
  ...
  ingress {
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
+   cidr_blocks = ["10.0.0.1/32"]
  }  
}

CloudFormation

  • Resource: AWS::EC2::SecurityGroup
  • Argument: Properties.SecurityGroupIngress
Type: AWS::EC2::SecurityGroup
    Properties:
      ...
      SecurityGroupIngress:
      - Description: SSH Ingress
        IpProtocol: tcp
        FromPort: 3389
        ToPort: 3389
-       CidrIp: "0.0.0.0/0"
+       CidrIp: "10.10.10.0/24"

Did this page help you?