Security Group Port Range
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your security groups don't have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks. Cloud Conformity strongly recommends opening only specific ports within your security groups, based on your applications requirements.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Opening range of ports inside your EC2 security groups is not a good practice because it will allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.
To determine if your EC2 security groups implement range of ports to allow inbound traffic, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Select the security group that you want to examine.
05 Select the Inbound tab from the dashboard bottom panel.
06 Verify the value available in the Port Range column for any existing inbound/ingress rules to identify if there are range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800,) currently defined. If one or more inbound rules are using range of ports to allow traffic, the selected security group is not secure and does not adhere to AWS security best practices.
07 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 security groups currently available in the selected region:
aws ec2 describe-security-groups --region us-east-1 --output table --query 'SecurityGroups[*].GroupId'
02 The command output should return a table with the requested IDs:
------------------------ |DescribeSecurityGroups| +----------------------+ | sg-7241d509 | | sg-5365d728 | | sg-8e74d350 | +----------------------+
03 Run again describe-security-groups command (OSX/Linux/UNIX) using custom filtering to expose the current configuration of the inbound rule(s) associated with the selected security group:
aws ec2 describe-security-groups --region us-east-1 --group-ids sg-7241d509 --query 'SecurityGroups[*].IpPermissions'
04 The command output should return the requested configuration information. If both FromPort and ToPort attributes share the same value (same port), the security group implements specific ports instead of ranges, otherwise, if these attributes (highlighted) have different values (as shown in the example below), the selected security group is using range of ports, therefore is not following the AWS security best practices.
[
[
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 8080,
"IpProtocol": "tcp",
"UserIdGroupPairs": []
}
]
]
05 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.
To implement specific ports instead of range of ports for your EC2 security groups, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Select the security group that you want to update (see the Audit section to identify any security groups that open range of ports).
05 Select the Inbound tab from the dashboard bottom panel and click Edit to update the necessary ingress rules.
06 In the Edit inbound rules dialog box, perform the following:
07 Repeat steps no. 4 – 6 to update the rest of the EC2 security groups that implement port range(s).
08 Change the AWS region from the navigation bar and repeat the process for other regions.
01 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group that you want to update, to add inbound/ingress rules with specific ports. Run this command as many times as required to add the necessary inbound rules. Replace the --protocol, --port and –cidr parameter values with your own values (the command does not produce an output):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-2673e45d --protocol tcp --port 80 --cidr 0.0.0.0/0
02
Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove any inbound rules that use the port range technique from the selected security group (the command does not return an output):
aws ec2 revoke-security-group-ingress --region us-east-1 --group-id sg-7241d509 --protocol tcp --port 80-8080 --cidr 0.0.0.0/0
03 Repeat step no. 1 and 2 to update the rest of the EC2 security groups that use port range(s).
04 Repeat steps no. 1 - 3 to implement the update process for other AWS regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat