Open menu
-->

EC2 Security Groups with RFC-1918 CIDRs

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Check your EC2 security groups for inbound rules that allow access from IP address ranges specified in RFC-1918 (i.e. 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and restrict access to only those private IP addresses that require it in order to implement the principle of least privilege (as promoted by AWS security best practices).

This rule resolution is part of the Cloud Conformity Security Package

Using RFC-1918 CIDRs within your EC2 security groups to allow an entire private network to access EC2 instances is implementing overly permissive access control, therefore the security groups access configuration does not adhere to security best practices.

Audit

To determine if there are any EC2 security groups that contain RFC-1918 CIDRs available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Click inside the attributes filter box located under the dashboard top menu and select the following options from the dropdown list:

  1. Choose Source/Destination (CIDR), type 10.0.0.0/8 as input for the CIDR then press Enter.
  2. Choose Source/Destination (CIDR) again, type 172.16.0.0/12 and press Enter.
  3. Choose Source/Destination (CIDR) one more time, type 192.168.0.0/16 and press Enter.
If one or more EC2 security groups allow inbound traffic from RFC-1918 CIDRs, the filtering process will return one or more entries as result. Cloud Conformity agent alerts if one or more security groups are configured to allow traffic from RFC-1918 CIDRs.

05 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using the necessary filters to expose the EC2 security groups that allow inbound traffic from RFC-1918 CIDRs, available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.cidr,Values='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
	--query 'SecurityGroups[*].GroupId'

02 The command output should return an array with the requested security group(s) ID(s). If the command does not return any output, there are no EC2 security groups that contain RFC-1918 CIDRs, otherwise it should return the ID(s) of the security group(s) that match filter criteria, as shown in the following example:

[
    "sg-ff721884",
    "sg-5365d728"
]

03 Repeat step no. 1 and 2 to identify any other EC2 security groups that contain RFC-1918 CIDRs, available in other AWS regions.

Remediation / Resolution

To update the inbound/ingress configuration for the EC2 security groups with RFC-1918 CIDRs in order to restrict access to specific IP addresses or security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that contains RFC-1918 CIDRs.

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.

06 In the Edit inbound rules dialog box, change the traffic Source for any inbound rules that allow inbound traffic from RFC-1918 CIDRs (regardless of the port used) by selecting the Custom option from the Source dropdown list and entering one of the following options, based on your access requirements:

  1. A specific IP address with the suffix set to /32 (e.g. 192.168.0.21/32), representing the private IP address of the server that require access to the EC2 instance(s) associated with the selected security group. If necessary, click the Add Rule button to add more inbound rules.
  2. The name or the ID of another security group (e.g. sg-5365de45), available in the same AWS region.

07 Click Save to apply the changes.

08 Repeat steps no. 4 – 7 to update other EC2 security groups that allow inbound traffic from RFC-1918 CIDRs.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) that contain(s) RFC-1918 CIDRs (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) from the selected EC2 security group. The following command example deletes an inbound/ingress rule that allows access from 192.168.0.0/16 IP range (if the command succeeds, no output is returned):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-ff721884
	--protocol tcp
	--port 3306
	--cidr 192.168.0.0/16

02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the ingress rules removed at the previous step with a different set of parameters in order to restrict inbound access to specific entities (private IP address or security group). To add the required inbound/ingress rules to the selected security group, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows access only to a specific private IP address (IPv4):
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-id sg-ff721884
    	--protocol tcp
    	--port 3306
    	--cidr 192.168.0.21/32
    
  2. Add an inbound rule that allows access only to another EC2 security group in the same AWS region:
    aws ec2 authorize-security-group-ingress
    	--region us-east-1
    	--group-id sg-ff721884
    	--protocol tcp
    	--port 3306
    	--source-group MyPrivateNetworkSecurityGroup
    

03 Repeat step no. 1 and 2 to update other EC2 security groups that allow inbound traffic from RFC-1918 CIDRs using AWS CLI.

04 Repeat steps no. 1 – 3 to implement the entire process for other AWS regions.

References

Publication date Jun 23, 2016