6.17 Use a Web-Tier ELB Security Group to accept only HTTP/HTTPS

Information

A _security group_ acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in the AWS Virtual Private Cloud (VPC), you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add _rules_ that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
The SG associated with the Web tier ELB should allow connectivity from any source IP (0.0.0.0/0) only for the HTTP (TCP 80) and HTTPS (TCP 443) ports.

Solution

Using the Amazon unified command line interface:

* First remove all the ingress rules for the security group associated with the Web tier ELB:

aws ec2 describe-security-groups --group-id <_security_group_id>_ --query "SecurityGroups[0].IpPermissions" > /tmp/IpPermissions.json
aws ec2 revoke-security-group-ingress --group-id <_security_group_id>_ --ip-permissions file:///tmp/IpPermissions.json

* create locally the below json file containing ingress rules for any source IP (0.0.0.0/0) only for the HTTP (TCP 80) and HTTPS (TCP 443) ports and name it IpPermissions.json:

[
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 80,
"IpProtocol": "tcp",
"UserIdGroupPairs": []
},
{
"PrefixListIds": [],
"FromPort": 443,
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"ToPort": 443,
"IpProtocol": "tcp",
"UserIdGroupPairs": []
}
]

* Add to the security group associated with the Web tier ELB the above ingress rules:

aws ec2 authorize-security-group-ingress --group-id <_security_group_id>_ --ip-permissions file:///PathTo/IpPermissions.json

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: amazon_aws

Control ID: 373c2b07d08dedde5508dd1b4b18829d37d7010a63f188e92b6ee87ff5f67d14