Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SecurityGroup RFC 1918

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-032

Check your Amazon EC2 security groups for inbound rules that allow access from IP address ranges specified in RFC-1918 (i.e. 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) and restrict access to only those private IP addresses/IP ranges that require it in order to implement the Principle of Least Privilege (POLP).

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using RFC-1918 CIDRs within your Amazon EC2 security groups to allow an entire private network to access the associated EC2 instances can be overly permissive, therefore the security groups configuration does not adhere to AWS cloud security best practices.


Audit

To determine if there are Amazon EC2 security groups that contain RFC-1918 CIDRs available in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Click inside the Filter security groups box located under the console top menu and select the following options from the Properties dropdown menu:

  1. Choose Source/Destination (CIDR), type 10.0.0.0/8, and press Enter.
  2. Choose again Source/Destination (CIDR), type 172.16.0.0/12, and press Enter.
  3. Choose Source/Destination (CIDR), type 192.168.0.0/16, and press Enter.

05 Check the results returned by the Amazon EC2 console. If the console returns one or more Amazon EC2 security groups, there are security groups that allow traffic from RFC-1918 CIDRs, available within the current AWS cloud region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with predefined and custom query filters to expose the Amazon EC2 security groups that allow inbound/ingress traffic from RFC-1918 CIDRs:

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=ip-permission.cidr,Values='10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'
  --output table
  --query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s):

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

If the describe-security-groups command does not produce an output, there are no security groups configured to allow access from RFC-1918 CIDRs. If the command output returns a table with one or more security group IDs, there are Amazon EC2 security groups that allow traffic from RFC-1918 CIDRs, available in the selected AWS cloud region.

03 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To update the inbound access configuration for the Amazon EC2 security groups with RFC-1918 CIDRs in order to restrict access to trusted entities only (i.e. authorized IP addresses or other security groups), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Configure RFC-1918 security group to allow access to trusted entities only",
	"Resources":{
	"DBSecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
			"GroupDescription" : "Allow MySQL database access",
			"GroupName" : "db-instance-security-group",
			"VpcId" : "vpc-1234abcd",
			"SecurityGroupIngress" : [{
				"IpProtocol" : "tcp",
				"FromPort" : 3306,
				"ToPort" : 3306,
				"CidrIp" : "192.168.0.5/32"
			}],
			"SecurityGroupEgress" : [{
				"IpProtocol" : "-1",
				"FromPort" : 0,
				"ToPort" : 65535,
				"CidrIp" : "0.0.0.0/0"
			}]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure RFC-1918 security group to allow access to trusted entities only
	Resources:
		DBSecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
			GroupDescription: Allow MySQL database access
			GroupName: db-instance-security-group
			VpcId: vpc-1234abcd
			SecurityGroupIngress:
			- IpProtocol: tcp
			FromPort: 3306
			ToPort: 3306
			CidrIp: 192.168.0.5/32
			SecurityGroupEgress:
			- IpProtocol: "-1"
			FromPort: 0
			ToPort: 65535
			CidrIp: 0.0.0.0/0

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_security_group" "db-security-group" {
	name        = "db-instance-security-group"
	description = "Allow MySQL database access"
	vpc_id      = "vpc-1234abcd"

	# Configure RFC-1918 security group to allow access to trusted entities only
	ingress {
		from_port        = 3306
		to_port          = 3306
		protocol         = "tcp"
		cidr_blocks      = ["192.168.0.5/32"]
	}

	egress {
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to reconfigure.

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, change the traffic source for the inbound rule that allows access from RFC-1918 CIDRs (regardless of the port used), by performing one of the following actions:

  1. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
    • A specific IPv4 address with the suffix set to /32 (e.g. 192.168.0.5/32), representing the private IP address of the trusted host that requires access to the Amazon EC2 instance(s) associated with the selected security group.
    • The name or ID of another security group available in the same AWS cloud region.
  2. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 to reconfigure other Amazon EC2 security groups that allow inbound traffic from RFC-1918 CIDRs.

08 Change the AWS cloud region from the console navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter, to remove the inbound rule(s) that contain(s) RFC-1918 CIDRs (i.e. 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) from the selected security group. The following command request example removes an inbound/ingress rule that allows access from the RFC-1918 CIDR 192.168.0.0/16:

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 3306
  --cidr 192.168.0.0/16
  --query 'Return'

02 The command output should return true if the request succeeds. Otherwise, it should return an error:

true

03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to restrict access to trusted entities only (IP addresses or security groups). To create and attach custom inbound/ingress rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows traffic from an authorized private IPv4 address using CIDR notation (e.g. 192.168.0.5/32):
    aws ec2 authorize-security-group-ingress
      --region us-east-1
      --group-id sg-01234abcd1234abcd
      --protocol tcp
      --port 3306
      --cidr 192.168.0.5/32
    
  2. Add an inbound rule that allows traffic from another security group (e.g. sg-01234123412341234) available in the same AWS cloud region:
    aws ec2 authorize-security-group-ingress
      --region us-east-1
      --group-id sg-01234abcd1234abcd
      --protocol tcp
      --port 3306
      --source-group sg-01234123412341234
    

04 Repeat steps no. 1 – 3 to reconfigure other EC2 security groups that allow inbound traffic from RFC-1918 CIDRs.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the remediation process for other regions.

References

Publication date Jun 23, 2016