6.25 Ensure Data tier Security Group has no inbound rules for CIDR of 0 (Global Allow)

Information

A _security group_ acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in the AWS Virtual Private Cloud (VPC), you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add _rules_ that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
Considering any of the non-public tiers receive requests only either from the upper tier or from resources inside the same VPC, any inbound rules that allow traffic from any source (0.0.0.0/0) are not necessary and should be removed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Using the Amazon unified command line interface:

* Remove the ingress rules for CIDR 0.0.0.0/0:

aws ec2 revoke-security-group-ingress --group-id _<data_tier_security_group>_ --protocol tcp/udp --port _<specific_port>_ --cidr 0.0.0.0/0

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: amazon_aws

Control ID: ec23e4892ce969806cfb1b93152df0429d57e0d850296fa2988b38658889eef1