Check your Amazon EC2 security groups for inbound rules that allow access from IP address ranges specified in RFC-1918 (i.e. 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and restrict access to only those private IP addresses/IP ranges that require it in order to implement the Principle of Least Privilege (POLP).
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using RFC-1918 CIDRs within your Amazon EC2 security groups to allow an entire private network to access the associated EC2 instances can be overly permissive, therefore the security groups configuration does not adhere to AWS cloud security best practices.
Audit
To determine if there are Amazon EC2 security groups that contain RFC-1918 CIDRs available in your AWS cloud account, perform the following operations:
Remediation / Resolution
To update the inbound access configuration for the Amazon EC2 security groups with RFC-1918 CIDRs in order to restrict access to trusted entities only (i.e. authorized IP addresses or other security groups), perform the following operations:
References
- AWS Documentation
- Amazon EC2 Security Groups for Linux Instances
- Control traffic to resources using security groups
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- revoke-security-group-ingress
- authorize-security-group-ingress
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider