AWS Config Rule: VPC SG Open Only To Authorized Ports
VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
Fernando Honig
Last Update vor einem Jahr
Description: Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich) Region
How to Resolve Manually
You may find that within your VPC in AWS, you have a number of Security Groups to consider for this rule. It will flag as NON_COMPLIANT when only 1 of your Security Groups has a port accessible which is not specified in the rule parameters.
By "Rule Parameters" the following is specified;
authorizedTcpPorts (Optional)
Type: String
Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash, for example, "443,1020-1025".
authorizedUdpPorts (Optional)
Type: String
Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash, for example, "500,1020-1025".
To resolve this manually, you will need to investigate which Security Groups are non compliant, and restrict the ingress to a specific IP, or Security Group or other resource.
If however there is a need for a rule to be open to 0.0.0.0/0 you could allow for this rule within the rule parameters above - but the best practice is not to have any rules open to 0.0.0.0/0
How to Resolve with StackZone
The Remediation for this AWS Config Rule will allow StackZone to automatically remove security group roles for Ports 22 (SSH) & 3389 (RDP) from both ipv4 and ipv6 addresses.
The security group must have existing rules specificially on the SSH and RDP ports for ingress to be disabled. This is quite a destructive remediation action, so please ensure the effects this will have if this targets any resources deemed NON_COMPLIANT that you do not want to modify
To enable this on your StackZone deployment, head on over to Provisioning > Baseline Services > Config Rules Regional > PCI-DSS and enable VPC Security Group Open to Authorized Ports Remediation.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here