Open menu
-->

EC2 Security Group Port Range

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your security groups don't have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks. Cloud Conformity strongly recommends opening only specific ports within your security groups, based on your applications requirements.

This rule resolution is part of the Cloud Conformity Security Package

Opening range of ports inside your EC2 security groups is not a good practice because it will allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.

Audit

To determine if your EC2 security groups implement range of ports to allow inbound traffic, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to examine.

05 Select the Inbound tab from the dashboard bottom panel.

06 Verify the value available in the Port Range column for any existing inbound/ingress rules to identify if there are range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800,) currently defined. If one or more inbound rules are using range of ports to allow traffic, the selected security group is not secure and does not adhere to AWS security best practices.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 security groups currently available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested IDs:

------------------------
|DescribeSecurityGroups|
+----------------------+
|  sg-7241d509         |
|  sg-5365d728         |
|  sg-8e74d350         |
+----------------------+

03 Run again describe-security-groups command (OSX/Linux/UNIX) using custom filtering to expose the current configuration of the inbound rule(s) associated with the selected security group:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-7241d509
	--query 'SecurityGroups[*].IpPermissions'

04 The command output should return the requested configuration information. If both FromPort and ToPort attributes share the same value (same port), the security group implements specific ports instead of ranges, otherwise, if these attributes (highlighted) have different values (as shown in the example below), the selected security group is using range of ports, therefore is not following the AWS security best practices.

[
    [
        {
            "PrefixListIds": [],
            "FromPort": 80,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 8080,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": []
        }
    ]
]

05 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.

Remediation / Resolution

To implement specific ports instead of range of ports for your EC2 security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to update (see the Audit section to identify any security groups that open range of ports).

05 Select the Inbound tab from the dashboard bottom panel and click Edit to update the necessary ingress rules.

06 In the Edit inbound rules dialog box, perform the following:

  1. Click the Add Rule button to create as many inbound rule entries as necessary to replace the inbound rules with the range of ports. To define an inbound rule, provide the following information:
    • Select Custom TCP/UDP/ICMP/Protocol Rule from the Type dropdown list, based on your applications requirements.
    • In the Protocol box, enter the type of the protocol used by the inbound rule (if required).
    • In the Port Range box, enter a specific port number used by your server applications as secure alternative to the range of ports.
    • In the Source section, select Anywhere, Custom or My IP to define the appropriate source of incoming traffic.
  2. Once all the required inbound rules are defined, click the x button next to each rule that implements range of ports to remove each of them from the security group.
  3. Click Save to apply the changes. The selected security group should have now only specific ports for all its inbound rules.

07 Repeat steps no. 4 – 6 to update the rest of the EC2 security groups that implement port range(s).

08 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group that you want to update, to add inbound/ingress rules with specific ports. Run this command as many times as required to add the necessary inbound rules. Replace the --protocol, --port and –cidr parameter values with your own values (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-2673e45d
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

02 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove any inbound rules that use the port range technique from the selected security group (the command does not return an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-7241d509
	--protocol tcp
	--port 80-8080
	--cidr 0.0.0.0/0

03 Repeat step no. 1 and 2 to update the rest of the EC2 security groups that use port range(s).

04 Repeat steps no. 1 - 3 to implement the update process for other AWS regions.

References

Publication date Jun 10, 2016