AWS Auto Scaling Group is Publicly Accessible from the Internet

Description:

Amazon Auto Scaling ensures that you maintain your desired number of EC2 instances by automatically increasing or decreasing the number of instances. The instances within an Auto Scaling Group (ASG) may be associated with a launch template or launch configuration that specifies its security groups. If the security groups associated with these instances permit access from the entire internet (0.0.0.0/0 or ::/0), it could lead to potential unauthorized access, data breaches, and other vulnerabilities. Hence, it's critical to ensure that your Auto Scaling Groups are not unintentionally exposed to the public.

Remediation:

1. Restrict Public Access to Instances in Auto Scaling Group:

AWS Management Console:
  • Navigate to the EC2 service in the AWS Console.
  • In the EC2 Dashboard's left navigation pane, click on Auto Scaling Groups.
  • Choose the ASG you want to check.
  • In the Details tab, find the launch configuration or launch template associated with the ASG.
  • Navigate to either the Launch Configurations or Launch Templates section, based on what the ASG uses.
  • Find and click on the associated launch configuration or launch template.
  • Check the security groups associated with it.
  • For each security group, click on the ID to view its inbound rules.
  • Modify or remove any rules that allow unrestricted access (0.0.0.0/0 or ::/0) on unnecessary ports.
AWS CLI:

To describe the launch configurations and their security groups:

aws autoscaling describe-launch-configurations

For launch templates:

aws ec2 describe-launch-templates

Once you identify the security groups, describe them to view their rules:

aws ec2 describe-security-groups --group-ids SECURITY_GROUP_ID

Review and modify the rules as necessary, removing or updating any that are overly permissive.

Terraform:

If you're using Terraform, review your Auto Scaling Group, launch configuration, and security group configurations:

resource "aws_security_group" "asg_sg" {
  # ... other security group configurations ...

  ingress {
    # Ensure this is not overly permissive
    # ... ingress rules ...
  }
}

resource "aws_launch_configuration" "example" {
  # ... other launch configuration properties ...

  security_groups = [aws_security_group.asg_sg.name]
}

resource "aws_autoscaling_group" "example" {
  # ... other ASG configurations ...

  launch_configuration = aws_launch_configuration.example.name
}

Ensure the associated security group does not allow overly permissive ingress rules.

Recommendation:

Always ensure that the security groups associated with your Auto Scaling Groups allow only the necessary access. Avoid exposing instances to the entire internet unless explicitly needed, and if so, limit the exposed ports. Regularly audit security group configurations to identify and rectify any potential overexposures. Implement monitoring and alerting through tools like AWS CloudTrail and AWS Config to detect and be notified of security group changes.

Updated 5 months ago