Check for AWS EC2 security groups that allow unrestricted inbound and/or outbound access (0.0.0.0/0 or ::/0) on both common and uncommon ports (except 80 and 443 ports) in order to secure the access at the EC2 instance level. Cloud Conformity strongly recommends access restrictions on any opened ports, except for the 80 (HTTP) and 443 (HTTPS) web-facing ports that allow inbound access only.
Implementing access restrictions at the EC2 level can protect your instances against malicious attacks such as brute-force attacks, Denial of Service (DoS) attacks, man-in-the-middle attacks (MITM) and prevent hacking or loss of data.
Note: If your EC2 instance require custom access and there are already implemented access restrictions at the OS level using software firewalls such as iptables or Windows Server Firewall, you can choose to disable this rule, although is NOT recommended. Ideally, these two methods should be used to complement each other.
Severity Levels
Cloud Conformity provides 2 levels of severity for this checkup – High and Very High, allowing you to change the level based on your requirements.
Rules
- Security Group Unrestricted Inbound Access on Common Ports (Very High):
- Unrestricted FTP Access
- Unrestricted SSH Access
- Unrestricted Telnet Access
- Unrestricted SMTP Access
- Unrestricted RDP Access
- Unrestricted Oracle Access
- Unrestricted MySQL Access
- Unrestricted PostgreSQL Access
- Unrestricted DNS Access
- Unrestricted MSSQL Access
- Unrestricted CIFS Access
- Unrestricted NetBIOS Access
- Unrestricted ICMP Access
- Unrestricted RPC Access
- Unrestricted MongoDB Access
- Security Group Unrestricted Inbound Access on Uncommon Ports (High):
- Unrestricted Security Group Ingress
- Unrestricted Security Group Egress