Security Group Port Range

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to examine.

05 Select the Inbound tab from the dashboard bottom panel.

06 Verify the value available in the Port Range column for any existing inbound/ingress rules to identify if there are range or ports (e.g. 0 – 65535, 80 – 8080, 111 – 32800,) currently defined. If one or more inbound rules are using range of ports to allow traffic, the selected security group is not secure and does not adhere to AWS security best practices.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run describe-security-groups command (OSX/Linux/UNIX) using appropriate filtering to list the IDs of all EC2 security groups currently available in the selected region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested IDs:

------------------------
|DescribeSecurityGroups|
+----------------------+
|  sg-7241d509         |
|  sg-5365d728         |
|  sg-8e74d350         |
+----------------------+

03 Run again describe-security-groups command (OSX/Linux/UNIX) using custom filtering to expose the current configuration of the inbound rule(s) associated with the selected security group:

aws ec2 describe-security-groups
	--region us-east-1
	--group-ids sg-7241d509
	--query 'SecurityGroups[*].IpPermissions'

04 The command output should return the requested configuration information. If both FromPort and ToPort attributes share the same value (same port), the security group implements specific ports instead of ranges, otherwise, if these attributes (highlighted) have different values (as shown in the example below), the selected security group is using range of ports, therefore is not following the AWS security best practices.

[
    [
        {
            "PrefixListIds": [],
            "FromPort": 80,
            "IpRanges": [
                {
                    "CidrIp": "0.0.0.0/0"
                }
            ],
            "ToPort": 8080,
            "IpProtocol": "tcp",
            "UserIdGroupPairs": []
        }
    ]
]

05 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group that you want to update (see the Audit section to identify any security groups that open range of ports).

05 Select the Inbound tab from the dashboard bottom panel and click Edit to update the necessary ingress rules.

06 In the Edit inbound rules dialog box, perform the following:

1. Click the Add Rule button to create as many inbound rule entries as necessary to replace the inbound rules with the range of ports. To define an inbound rule, provide the following information:
   • Select Custom TCP/UDP/ICMP/Protocol Rule from the Type dropdown list, based on your applications requirements.
   • In the Protocol box, enter the type of the protocol used by the inbound rule (if required).
   • In the Port Range box, enter a specific port number used by your server applications as secure alternative to the range of ports.
   • In the Source section, select Anywhere, Custom or My IP to define the appropriate source of incoming traffic.
2. Once all the required inbound rules are defined, click the x button next to each rule that implements range of ports to remove each of them from the security group.
3. Click Save to apply the changes. The selected security group should have now only specific ports for all its inbound rules.

07 Repeat steps no. 4 – 6 to update the rest of the EC2 security groups that implement port range(s).

08 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group that you want to update, to add inbound/ingress rules with specific ports. Run this command as many times as required to add the necessary inbound rules. Replace the --protocol, --port and –cidr parameter values with your own values (the command does not produce an output):

aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-2673e45d
	--protocol tcp
	--port 80
	--cidr 0.0.0.0/0

02 Run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove any inbound rules that use the port range technique from the selected security group (the command does not return an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-7241d509
	--protocol tcp
	--port 80-8080
	--cidr 0.0.0.0/0

03 Repeat step no. 1 and 2 to update the rest of the EC2 security groups that use port range(s).

04 Repeat steps no. 1 - 3 to implement the update process for other AWS regions.