Home Security & Health Security Audit AWS Security Groups should not allow unrestricted access to EC2

AWS Security Groups should not allow unrestricted access to EC2

-

AWS security groups are meant for safeguarding your resources and infrastructure in cloud. But, have you ever thought of the damage that these security groups can cause if they are configured with rules that allow unrestricted access to your resources? Let us dig more about the scenario.

What are AWS security groups?

Security groups are associated with your AWS EC2 instances and provide security at the protocol and port access level. Each security group works in the same way as a firewall. It contains a set of rules that filter the ingress and egress traffic of an EC2 instance. There is no ‘Deny’ rule in a security group. Rather, if there is no rule that explicitly permits a data packet, it will be dropped.

Security groups allowing unrestricted access to your EC2 instances

It is necessary to make sure that your AWS security groups do not allow unrestricted access to your EC2 instances. Unrestricted access becomes a pathway for various malicious activities and attacks. These security attacks can be hacking, denial-of-service attacks, loss of data, etc. It can not only hamper your daily operations but also comprise the confidentiality of your cloud environment. Apart from common security ports such as port no. 25 (Simple Mail Transfer Protocol (SMTP)), port no.80 (Hyper Text Transfer Protocol) and port no. 443 (standard TCP protocol for websites using SSL), access to all other ports must be restricted in your security groups.

Centilytics provides a dedicated insight that keeps a check on security groups attached to your EC2 instances. It then lists down all the security groups with rules allowing unrestricted access to EC2 resources. This helps you to take the necessary measures from a security standpoint.

Insight Descriptions:

There can be 1 possible scenario:

Severity Description
Critical This indication will be displayed when AWS security groups attached to your EC2 instance(s) allow unrestricted access for ports other than ports 25, 80 and 443.

 

Description of further columns are as follows:

  1. Account Id: This column shows the respective account ID of the user’s account.   AWS EC2 4
  2. Account Name: This column shows the Account Id of the user’s account.AWS EC2 7
  3. Region: This column shows the region in which the resources exist.AWS EC2 9
  4. Group Name: This column shows the name of the security group.AWS EC2 3
  5. Identifier: This column shows the security group ID of your security group.AWS EC2 5
  6. Protocol: This column shows the name of the protocol.AWS EC2 8
  7. CIDR IP: This column shows the Ip address of your connection.AWS EC2 1
  8. From Port: This column shows the source port from which the connection is being routed.AWS EC2 2
  9. To Port: This column shows the destination port to which the connection is being routed.AWS EC2 0

Filters applicable:

Filter Name Description
Account Id Applying the account Id filter will display data for the selected account Id.
Region Applying the region filter will display data according to the selected region.
Severity Applying severity filter will display data according to the selected severity type. This means, selecting Critical will display all resources with critical severity. Same will be the case for Warning and Ok severity types
Resource Tags Applying resource tags filter will display those resources which have been assigned the selected resource tag. For e.g., A user has tagged some public snapshots by a resource tag named environment. Then selecting an environment from the resource tags filter will display all those resources tagged by the tag name environment.
Resource Tags Value Applying resource tags value filter will display data which will have the selected resource tag value. For e.g. – Let’s say a user has tagged some resource by a tag named environment and has a value say production (environment: production).

Hence, the user can view data of all the resources which have “environment:production” tag assigned. The user can use the tag value filter only when a tag name has been provided.

 

Compliances covered:

Compliance Name Reference No. Link
Trusted Advisor https://console.aws.amazon.com/trustedadvisor/home?#/category/security

 

Read About

Cloud