AWS Security Group allows all traffic on SSH port (22)
Description
Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
Code Example
{
"aws ec2 describe-security-groups
--group-ids sg-xxxxxxxxxxxxxxxxx
--region us-east-1",
}Remediation
- AWS Console*
To implement the prescribed state, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/vpc/ [Amazon VPC console].
. In the left pane, click * Security Groups*.
. For each security group, perform the following: a) Select the security group. + b) Click * Inbound Rules*. + c) Identify the rules to be removed. + d) Click * X* in the Remove column.
. Click * Save*.
- CLI Command*
. Review the rules for an existing security group (Replacing the security group ID and region). +
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0078 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_24 |