AWS Security Group allows all traffic on RDP port (3389)
Description
Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
Rationale Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.
Code Example
resource "aws_security_group" "example" {
...
ingress {
from_port = 3389
to_port = 3389
protocol = "tcp"
- cidr_blocks = ["0.0.0.0/0"]
+ cidr_blocks = ["10.0.0.1/32"]
}
}Remediation
- AWS Console*
To implement the prescribed state, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/vpc/ [Amazon VPC console].
. In the left pane, click * Security Groups*.
. For each security group, perform the following: a) Select the security group. + b) Click * Inbound Rules*. + c) Identify the rules to be removed. + d) Click * X* in the Remove column.
. Click * Save*. === Fix - Buildtime
Terraform
The issue is the CIDR specified in the ingress control rule - "0.0.0.0/0". Change it from this:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0079 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_25 |