AWS Config Rule: VPC SG Open Only To Authorized Ports

VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS

Fernando Honig

Last Update vor einem Jahr

Description: Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich) Region


How to Resolve Manually 

You may find that within your VPC in AWS, you have a number of Security Groups to consider for this rule. It will flag as NON_COMPLIANT when only 1 of your Security Groups has a port accessible which is not specified in the rule parameters.


By "Rule Parameters" the following is specified;


authorizedTcpPorts (Optional)

Type: String

Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash, for example, "443,1020-1025".


authorizedUdpPorts (Optional)

Type: String

Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash, for example, "500,1020-1025".


To resolve this manually, you will need to investigate which Security Groups are non compliant, and restrict the ingress to a specific IP, or Security Group or other resource.


If however there is a need for a rule to be open to 0.0.0.0/0 you could allow for this rule within the rule parameters above - but the best practice is not to have any rules open to 0.0.0.0/0


How to Resolve with StackZone

The Remediation for this AWS Config Rule will allow StackZone to automatically remove security group roles for Ports 22 (SSH) & 3389 (RDP) from both ipv4 and ipv6 addresses.


The security group must have existing rules specificially on the SSH and RDP ports for ingress to be disabled. This is quite a destructive remediation action, so please ensure the effects this will have if this targets any resources deemed NON_COMPLIANT that you do not want to modify


To enable this on your StackZone deployment, head on over to Provisioning > Baseline Services > Config Rules Regional > PCI-DSS and enable VPC Security Group Open to Authorized Ports Remediation.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us