Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

SecurityGroup RFC 1918

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-032

Check your Amazon EC2 security groups for inbound rules that allow access from IP address ranges specified in RFC-1918 (i.e., 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and restrict access to only those private IP addresses/IP ranges that require it in order to implement the Principle of Least Privilege (POLP).

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using RFC-1918 CIDRs within your Amazon EC2 security groups to allow an entire private network to access the associated EC2 instances can be overly permissive, therefore, the security groups configuration does not adhere to AWS cloud security best practices.

Audit

To determine if there are Amazon EC2 security groups that contain RFC-1918 CIDRs available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Click inside the Find security groups by attribute or tag box located under Security Groups and select the following filters from the Client filters list:

  1. Choose Source/Destination (CIDR), type 10.0.0.0/8, and press Enter.
  2. Select Source/Destination (CIDR), type 172.16.0.0/12, and press Enter.
  3. Choose Source/Destination (CIDR), type 192.168.0.0/16, and press Enter.

05 Check the results returned by the Amazon EC2 console. If the console returns one or more security groups, there are security groups that allow traffic from RFC-1918 CIDRs, available within the current AWS cloud region.

06 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with predefined and custom output filters to expose the Amazon EC2 security groups that allow inbound (ingress) traffic from RFC-1918 CIDRs: 

aws ec2 describe-security-groups
	--region us-east-1
	--filters Name=ip-permission.cidr,Values='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
	--output table
	--query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s): 

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

If the describe-security-groups command does not produce an output, there are no security groups configured to allow access from RFC-1918 CIDRs. If the command output returns a table with one or more security group IDs, there are Amazon EC2 security groups that allow traffic from RFC-1918 CIDRs, available in the selected AWS cloud region.

03 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the Audit process for other regions.

Remediation / Resolution

To update the inbound access configuration for the Amazon EC2 security groups with RFC-1918 CIDRs in order to restrict access to trusted networks only (i.e., authorized IP addresses or other security groups), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Configure RFC-1918 security group to allow access to trusted entities only",
	"Resources":{
	"DBSecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
			"GroupDescription" : "Allow MySQL database access",
			"GroupName" : "db-instance-security-group",
			"VpcId" : "vpc-1234abcd",
			"SecurityGroupIngress" : [{
				"IpProtocol" : "tcp",
				"FromPort" : 3306,
				"ToPort" : 3306,
				"CidrIp" : "192.168.0.5/32"
			}],
			"SecurityGroupEgress" : [{
				"IpProtocol" : "-1",
				"FromPort" : 0,
				"ToPort" : 65535,
				"CidrIp" : "0.0.0.0/0"
			}]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure RFC-1918 security group to allow access to trusted entities only
	Resources:
		DBSecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
			GroupDescription: Allow MySQL database access
			GroupName: db-instance-security-group
			VpcId: vpc-1234abcd
			SecurityGroupIngress:
			- IpProtocol: tcp
			FromPort: 3306
			ToPort: 3306
			CidrIp: 192.168.0.5/32
			SecurityGroupEgress:
			- IpProtocol: "-1"
			FromPort: 0
			ToPort: 65535
			CidrIp: 0.0.0.0/0

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_security_group" "db-security-group" {
	name        = "db-instance-security-group"
	description = "Allow MySQL database access"
	vpc_id      = "vpc-1234abcd"

	# Configure RFC-1918 security group to allow access to trusted entities only
	ingress {
		from_port        = 3306
		to_port          = 3306
		protocol         = "tcp"
		cidr_blocks      = ["192.168.0.5/32"]
	}

	egress {
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to configure.

05 Select the Inbound rules tab from the console split panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, change the traffic source for the inbound rule that allows access from RFC-1918 CIDRs (regardless of the port used), by performing one of the following actions:

  1. Select Custom from the Source dropdown list and enter one of the following sources based on your access requirements:
    1. The static IP address of the permitted host in CIDR notation (e.g., 10.0.0.5/32).
    2. The IP address range of the permitted network/subnetwork in CIDR notation, for example, 10.0.5.0/24.
    3. The name or ID of another security group available in the Security Groups section.
    4. The name or ID of a prefix list available in the Prefix lists section. Prefix lists simplify security group configuration by grouping frequently used CIDR blocks.
  2. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 for each Amazon EC2 security group that allow inbound traffic from RFC-1918 CIDRs.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) with the ID of the Amazon EC2 security group that you want to configure as the identifier parameter, to remove the inbound rules that contain RFC-1918 CIDRs (i.e., 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) from the selected security group. The following command request example removes an inbound (ingress) rule that allows access from the RFC-1918 CIDR 192.168.0.0/16: 

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 3306
	--cidr 192.168.0.0/16
	--query 'Return'

02 The command output should return true if the request succeeds. Otherwise, it should return an error: 

true

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed in the previous step with a different set of parameters in order to restrict access to trusted entities only. To create and attach custom ingress rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command output should return true if the command request succeeds):

  1. Add an inbound rule that allows traffic from an authorized private IPv4 address using CIDR notation (e.g., 192.168.0.5/32): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 3306
	--cidr 192.168.0.5/32
	--query 'Return'
  2. Add an ingress rule that allows traffic from a trusted IP address range using CIDR notation (for example, 10.0.5.0/24): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 3306
	--cidr 10.0.5.0/24
	--query 'Return'
  3. Add an inbound rule that allows traffic from another security group (e.g., sg-01234123412341234) available in the same AWS cloud region: 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--protocol tcp
	--port 3306
	--source-group sg-01234123412341234
  4. Add an ingress rule that allows traffic from an AWS prefix list (e.g., pl-0123abcd): 
    aws ec2 authorize-security-group-ingress
	--region us-east-1
	--group-id sg-01234abcd1234abcd
	--ip-permissions 'IpProtocol=tcp,FromPort=3306,ToPort=3306,PrefixListIds=[{PrefixListId=pl-0123abcd}]'
	--query 'Return'

04 Repeat steps no. 1 – 3 for each Amazon EC2 security group that allow inbound traffic from RFC-1918 CIDRs.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 23, 2016

Related EC2 rules