Check your EC2 security groups for inbound rules that allow access from IP address ranges specified in RFC-1918 (i.e. 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and restrict access to only those private IP addresses that require it in order to implement the principle of least privilege (as promoted by AWS security best practices).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using RFC-1918 CIDRs within your EC2 security groups to allow an entire private network to access EC2 instances is implementing overly permissive access control, therefore the security groups access configuration does not adhere to security best practices.
Audit
To determine if there are any EC2 security groups that contain RFC-1918 CIDRs available in your AWS account, perform the following:
Remediation / Resolution
To update the inbound/ingress configuration for the EC2 security groups with RFC-1918 CIDRs in order to restrict access to specific IP addresses or security groups, perform the following:
References
- AWS Documentation
- Amazon EC2 Security Groups for Linux Instances
- Security Groups for Your VPC
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- revoke-security-group-ingress
- authorize-security-group-ingress
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
SecurityGroup RFC 1918
Risk level: Medium