Check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to any hosts using ICMP and restrict the ICMP-based access to trusted IP addresses/IP ranges only in order to implement the Principle of Least Privilege (POLP) and reduce the attack surface. Internet Control Message Protocol (ICMP) is an error-reporting protocol that is typically used to troubleshoot TCP/IP networks by generating error messages for any issues with delivering IP packets. Even if ICMP is not a transport protocol, it can be used to exploit network vulnerabilities.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unrestricted inbound/ingress ICMP access to your Amazon EC2 instances can increase opportunities for malicious activities such as Denial-of-Service (DoS) attacks, Smurf and Fraggle attacks.
Audit
To determine if your Amazon EC2 security groups allow unrestricted ICMP access, perform the following operations:
Remediation / Resolution
To update the inbound rule configuration for your Amazon EC2 security groups in order to restrict ICMP-based access to trusted entities only (i.e. authorized IP addresses and IP ranges, or other security groups), perform the following operations:
References
- AWS Documentation
- Amazon EC2 security groups for Linux instances
- Work with security groups
- Security group rules for different use cases
- Authorize inbound traffic for your Linux instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- revoke-security-group-ingress
- authorize-security-group-ingress
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider