Check Security Groups for Fine Grained Rules

Risk Level: High (not acceptable risk)

To implement least privilege access and minimize attack surface, ensure that your Elastic Compute Service (ECS) security groups are configured with fine grained rules.

Security

In Alibaba Cloud, security groups act as virtual firewalls, controlling inbound and outbound traffic for your ECS instances, similar to how a traditional firewall works. You can define rules within a security group to specify which traffic is allowed and which is blocked. Setting up fine-grained security group rules effectively reduces breach impact by restricting access to resources beyond these rules, making them inaccessible to your ECS instance. To keep your ECS instances secure, it is strongly recommended to follow the Principle of Least Privilege (POLP) and configure your security group rules for specific situations. For example, fine-grained security group rules are useful when a website deployed on your ECS instance needs to provide external web services or when you want to connect to your instance from an on-premises server.

Audit

To determine if your security groups are configured with fine grained rules, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the cloud region where your ECS security groups reside from the top navigation bar.

05 Click on the ID (link) of the security group that you want to examine, listed in the Security Group ID/Name.

06 Select the Security Group Details tab and choose the Inbound/Outbound tab to access the ingress/egress rules available for the selected security group.

07 Check the following configuration attributes for each defined inbound/outbound rule: Action, Protocol Type, Port Range, Authorization Object, and Description, to assess the dependency of each rule on the successful execution of tasks defined for the associated ECS instance. If an inbound/outbound rule is not required for the associated ECS instance's operations, it can be considered unnecessary and safely removed from the selected security group.

08 Repeat steps no. 5 - 7 for each ECS security group available in the selected cloud region.

09 Change the cloud region from the top navigation bar and perform the Audit process for other regions.

Using Alibaba Cloud CLI

01 Run DescribeSecurityGroups command (OSX/Linux/UNIX) to describe the information available for each ECS security group provisioned in the specified cloud region:

aliyun ecs DescribeSecurityGroups --RegionId 'eu-west-1'

02 The command output should return the requested details (including the security group ID):

{
	"SecurityGroups": {
		"SecurityGroup": [
			{
				"CreationTime": "2024-02-24T17:42:55Z",
				"Description": "",
				"SecurityGroupId": "sg-abcd1234abcd1234abcd",
				"SecurityGroupName": "sg-abcd1234abcd1234abcd",
				"SecurityGroupType": "normal",
				"ServiceManaged": false,
				"VpcId": "vpc-123456789012345678901"
			},
			{
				"CreationTime": "2024-02-23T17:52:37Z",
				"Description": "",
				"SecurityGroupId": "sg-1234abcd1234abcd1234",
				"SecurityGroupName": "sg-1234abcd1234abcd1234",
				"SecurityGroupType": "normal",
				"ServiceManaged": false,
				"VpcId": "vpc-123456789012345678901"
			}
		]
	},
	"TotalCount": 2,
	"PageNumber": 1,
	"PageSize": 10,
	"RegionId": "eu-west-1",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}

03 Run DescribeSecurityGroupAttribute command (OSX/Linux/UNIX) using the ID of the ECS security group that you want to examine as the identifier parameter, to describe the inbound and outbound rules defined for the selected security group:

aliyun ecs DescribeSecurityGroupAttribute --RegionId 'eu-west-1' --SecurityGroupId 'sg-d7of9efmlubxs28vyb7l'

04 The command output should return the requested configuration information:

{
	"Description": "Custom Created Security Group",
	"InnerAccessPolicy": "Accept",
	"Permissions": {
		"Permission": [
			{
				"CreateTime": "2024-02-28T12:56:58Z",
				"Description": "Allow SSH Access",
				"DestCidrIp": "",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "ingress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "22/22",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-abcd1234abcd1234abcd",
				"SourceCidrIp": "0.0.0.0/0",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			},
			{
				"CreateTime": "2024-02-28T12:56:42Z",
				"Description": "Allow HTTP Access",
				"DestCidrIp": "",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "ingress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "80/80",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-1234abcd1234abcd1234",
				"SourceCidrIp": "0.0.0.0/0",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			},
			{
				"CreateTime": "2024-02-28T12:56:32Z",
				"Description": "Allow HTTPS Access",
				"DestCidrIp": "",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "ingress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "443/443",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-12341234123412341234",
				"SourceCidrIp": "0.0.0.0/0",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			},
			{
				"CreateTime": "2024-02-28T12:56:15Z",
				"Description": "Allow Redis Cache Access",
				"DestCidrIp": "",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "ingress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "6379/6379",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-abcdabcdabcdabcdabcd",
				"SourceCidrIp": "0.0.0.0/0",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			},
			{
				"CreateTime": "2024-02-28T12:55:50Z",
				"Description": "",
				"DestCidrIp": "0.0.0.0/0",
				"DestGroupId": "",
				"DestGroupName": "",
				"DestGroupOwnerAccount": "",
				"DestPrefixListId": "",
				"DestPrefixListName": "",
				"Direction": "egress",
				"IpProtocol": "TCP",
				"Ipv6DestCidrIp": "",
				"Ipv6SourceCidrIp": "",
				"NicType": "intranet",
				"Policy": "Accept",
				"PortRange": "1/65535",
				"Priority": 100,
				"SecurityGroupRuleId": "sgr-abcabcabcabcabcabcab",
				"SourceCidrIp": "",
				"SourceGroupId": "",
				"SourceGroupName": "",
				"SourceGroupOwnerAccount": "",
				"SourcePortRange": "",
				"SourcePrefixListId": "",
				"SourcePrefixListName": ""
			}
		]
	},
	"RegionId": "eu-west-1",
	"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD",
	"SecurityGroupId": "sg-abcd1234abcd1234abcd",
	"SecurityGroupName": "sg-abcd1234abcd1234abcd",
	"VpcId": "vpc-123456789012345678901"
}

Check the following configuration attributes for each defined rule: "Direction", "Policy", "IpProtocol", "Description", "PortRange", "SourceCidrIp" (for inbound rules), "DestCidrIp" (for outbound rules), and "Description", to assess the dependency of each rule on the successful execution of tasks defined for the associated ECS instance. If an inbound/outbound rule is not required for the associated ECS instance's operations, it can be considered unnecessary and safely removed from the selected security group.

05 Repeat steps no. 3 and 4 for each ECS security group available within the selected cloud region.

06 Change the cloud region by updating the --RegionId command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To ensure that your security groups are configured with fine grained rules only, perform the following operations:

Using Alibaba Cloud Console

01 Sign in to your Alibaba Cloud account.

02 Navigate to Elastic Compute Service (ECS) console available at https://ecs.console.aliyun.com/home.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the cloud region where your ECS security groups reside from the top navigation bar.

05 Click on the ID (link) of the security group that you want to configure, listed in the Security Group ID/Name.

06 Select the Security Group Details tab and choose the Inbound tab to access the ingress rules defined for the selected security group.

07 To remove the inbound rule that allows unrestricted RDP access, perform the following actions:

Select the rule that you want to delete and choose Delete in the Actions column.
In the Delete Security Group Rule confirmation box choose OK to confirm the removal.

08 Repeat steps no. 5 - 7 for each ECS security group that you want to configure, available in the selected cloud region.

09 Change the cloud region from the top navigation bar and perform the Remediation process for other regions.

Using Alibaba Cloud CLI

01 To remove entirely the inbound rule that allows unrestricted RDP access, run RevokeSecurityGroup command (OSX/Linux/UNIX) using the ID of the security group rule that you want to delete as the identifier parameter:

aliyun ecs RevokeSecurityGroup 
  --RegionId 'eu-west-1' 
  --SecurityGroupId 'sg-abcd1234abcd1234abcd' 
  --SecurityGroupRuleId.1 'sgr-123456789012345678901'

02 If successful, the output should return the command request ID:

{"RequestId":"1234ABCD-1234-ABCD-1234-ABCD1234ABCD"}

03 Repeat steps no. 1 and 2 for each ECS security group that you want to configure, available in the selected cloud region.

04 Change the cloud region by updating the --RegionId command parameter value and repeat the Remediation process for other regions.

References

Alibaba Cloud Documentation
Security group rules
Best practices of the security group (part 1)
Security groups for different use cases

Publication date Apr 30, 2024

Audit

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

Remediation / Resolution

Using Alibaba Cloud Console

Using Alibaba Cloud CLI

References

Related AlibabaCloud-VPC rules