SecurityGroup RFC 1918
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresCheck your EC2 security groups for inbound rules that allow access from IP address ranges specified in RFC-1918 (i.e. 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and restrict access to only those private IP addresses that require it in order to implement the principle of least privilege (as promoted by AWS security best practices).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using RFC-1918 CIDRs within your EC2 security groups to allow an entire private network to access EC2 instances is implementing overly permissive access control, therefore the security groups access configuration does not adhere to security best practices.
To determine if there are any EC2 security groups that contain RFC-1918 CIDRs available in your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Click inside the attributes filter box located under the dashboard top menu and select the following options from the dropdown list:
05 Change the AWS region from the navigation bar and repeat the process for other regions.
01 Run describe-security-groups command (OSX/Linux/UNIX) using the necessary filters to expose the EC2 security groups that allow inbound traffic from RFC-1918 CIDRs, available in the selected region:
aws ec2 describe-security-groups --region us-east-1 --filters Name=ip-permission.cidr,Values='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16' --query 'SecurityGroups[*].GroupId'
02 The command output should return an array with the requested security group(s) ID(s). If the command does not return any output, there are no EC2 security groups that contain RFC-1918 CIDRs, otherwise it should return the ID(s) of the security group(s) that match filter criteria, as shown in the following example:
[
"sg-ff721884",
"sg-5365d728"
]
03 Repeat step no. 1 and 2 to identify any other EC2 security groups that contain RFC-1918 CIDRs, available in other AWS regions.
To update the inbound/ingress configuration for the EC2 security groups with RFC-1918 CIDRs in order to restrict access to specific IP addresses or security groups, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Select the security group that contains RFC-1918 CIDRs.
05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.
06 In the Edit inbound rules dialog box, change the traffic Source for any inbound rules that allow inbound traffic from RFC-1918 CIDRs (regardless of the port used) by selecting the Custom option from the Source dropdown list and entering one of the following options, based on your access requirements:
07 Click Save to apply the changes.
08 Repeat steps no. 4 – 7 to update other EC2 security groups that allow inbound traffic from RFC-1918 CIDRs.
09 Change the AWS region from the navigation bar and repeat the process for other regions.
01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) that contain(s) RFC-1918 CIDRs (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) from the selected EC2 security group. The following command example deletes an inbound/ingress rule that allows access from 192.168.0.0/16 IP range (if the command succeeds, no output is returned):
aws ec2 revoke-security-group-ingress --region us-east-1 --group-id sg-ff721884 --protocol tcp --port 3306 --cidr 192.168.0.0/16
02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the ingress rules removed at the previous step with a different set of parameters in order to restrict inbound access to specific entities (private IP address or security group). To add the required inbound/ingress rules to the selected security group, use one of the following options (the command does not produce an output):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-ff721884 --protocol tcp --port 3306 --cidr 192.168.0.21/32
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-ff721884 --protocol tcp --port 3306 --source-group MyPrivateNetworkSecurityGroup
03 Repeat step no. 1 and 2 to update other EC2 security groups that allow inbound traffic from RFC-1918 CIDRs using AWS CLI.
04 Repeat steps no. 1 – 3 to implement the entire process for other AWS regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat