Unrestricted HTTPS Access
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresCheck your EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0) to TCP port 443 and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing unrestricted HTTPS access can increase opportunities for malicious activity such as hacking, denial-of-service (DoS) attacks and loss of data.
To determine if your EC2 security groups allow unrestricted HTTPS access, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the left navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Click inside the attributes filter box located under the dashboard top menu and select the following options from the dropdown list:
05 Select an EC2 security group returned as result.
06 Select the Inbound tab from the dashboard bottom panel.
07 Verify the value available in the Source column for any inbound/ingress rules with the Port Range set to 443. If one or more rules have the source set to 0.0.0.0/0 (Anywhere), the selected security group allows unrestricted data traffic on port 443, therefore the HTTPS access to the associated EC2 or RDS instance(s) is not secured.
08 Repeat steps no. 5 – 7 to verify the rest of the EC2 security groups returned as result at step no. 4.
09 Change the AWS region from the navigation bar and repeat the audit process for other regions.
01 Run describe-security-groups command (OSX/Linux/UNIX) using the necessary filters to expose the security groups that have ingress rules that allow HTTPS traffic (TCP port 443) from all addresses (0.0.0.0/0):
aws ec2 describe-security-groups
--region us-east-1
--filters Name=ip-permission.from-port,Values=443 Name=ip-permission.to-port,Values=443 Name=ip-permission.cidr,Values='0.0.0.0/0'
--query 'SecurityGroups[*].{Name:GroupName}'
02 The command output should return an array with the requested information. If the command does not return any output, there are no EC2 security groups that allow unrestricted HTTPS access, otherwise it should return the name of the security group(s) that match filter criteria, as shown in the following example:
[
{
"Name": "MyHTTPSDBSecurityGroup"
}
]
03 Repeat step no. 1 and 2 to perform the audit process for other AWS regions.
To update your security groups inbound/ingress configuration in order to restrict HTTPS access to specific entities (IP addresses, IP ranges, etc), perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.
04 Select the appropriate security group (see Audit section to identify the right one(s)).
05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.
06 In the Edit inbound rules dialog box, change the traffic Source for any inbound rules that allow unrestricted access through TCP port 443 by performing one of the following actions:
07 Click Save to apply the changes.
08 Repeat steps no. 4 – 7 to update other EC2 security groups that allow unrestricted HTTPS access.
09 Change the AWS region from the navigation bar and repeat the process for other regions.
01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule(s) that allow unrestricted access through TCP port 443, from the selected EC2 security group (the command does not return an output):
aws ec2 revoke-security-group-ingress --region us-east-1 --group-name MyHTTPSDBSecurityGroup --protocol tcp --port 443 --cidr 0.0.0.0/0
02
Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rules removed at the previous step with a different set of parameters in order to restrict HTTPS access to specific entities. To add custom inbound/ingress rules to the selected security group, use one of the following options (the command does not produce an output):
aws ec2 authorize-security-group-ingress --region us-east-1 --group-name MyHTTPSDBSecurityGroup --protocol tcp --port 443 --cidr 54.164.53.221/32
aws ec2 authorize-security-group-ingress --region us-east-1 --group-name MyHTTPSDBSecurityGroup --protocol tcp --port 443 --cidr 54.164.53.221/24
aws ec2 authorize-security-group-ingress --region us-east-1 --group-name MyHTTPSDBSecurityGroup --protocol tcp --port 443 --source-group MyWebAppSecurityGroup
03 Repeat step no. 1 and 2 to update other EC2 security groups that allow unrestricted HTTPS access using AWS CLI.
04 Repeat steps no. 1 - 3 to implement the entire process for other AWS regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat