Skip to content

Security Groups allow ingress from 0.0.0.0/0 to port 3389

Description

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 3389. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.

Rationale

Removing unfettered connectivity to remote console services, such as RDP, reduces a server's exposure to risk.

Fix - Runtime

AWS Console

To implement the prescribed state, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon VPC console.
  3. In the left pane, click Security Groups.
  4. For each security group, perform the following:
    a) Select the security group.
    b) Click Inbound Rules.
    c) Identify the rules to be removed.
    d) Click X in the Remove column.
  5. Click Save.

Fix - Buildtime

Terraform

The issue is the CIDR specified in the ingress control rule - "0.0.0.0/0". Change it from this:

```go aws_security_group.tf resource "aws_security_group" "example" { ... ingress { from_port = 3389 to_port = 3389 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = ["10.0.0.1/32"] }
}


## CloudFormation

- **Resource:** AWS::EC2::SecurityGroup
- **Argument:** Properties.SecurityGroupIngress

```yaml
Type: AWS::EC2::SecurityGroup
    Properties:
      ...
      SecurityGroupIngress:
      - Description: SSH Ingress
        IpProtocol: tcp
        FromPort: 3389
        ToPort: 3389
-       CidrIp: "0.0.0.0/0"
+       CidrIp: "10.10.10.0/24"