Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 2379 (etcd)

Error: Security Group attached to EC2 instance allows inbound traffic from all to TCP port 2379 (etcd)

Bridgecrew Policy ID: BC_AWS_NETWORKING_20
Severity: HIGH

Security Group attached to EC2 instance allows inbound traffic from all to TCP port 2379 (etcd)

Description

ETCD is a distributed, reliable key-value store for the most critical data of a distributed system. As a general precaution if any resource needs to be open to the internet, it must first undergo a security review and approval from DSO.

Fix - Runtime

Procedure

  1. Change the access control policy and security groups to make the etcd service private.
  2. Allow access to a specific list of IP addresses.
  3. Once the etcd service is not publicly accessible Bridgecrew will automatically close the issue.
  4. You can also request exception from the policy violation details page.
  5. SecOps will review and involve DSO if required and grant exception; Bridgecrew will automatically ignore this resource until the expiry of exception.