AWS ELBv2 has Unrestricted Security Group Attached
Description:
Amazon Elastic Load Balancer (ELBv2) uses security groups to allow or deny inbound and outbound traffic. It's a security best practice to restrict access to the minimal set of IPs or IP ranges necessary to operate. When an ELBv2 security group is misconfigured to allow unrestricted access (0.0.0.0/0) for certain ports, it poses a security risk as it exposes the load balancer to potential malicious activities from any source.
Remediation:
1. Modify the Attached Security Group:
Restrict the access to your ELBv2 by adjusting its associated security group rules to only allow the necessary IPs or IP ranges.
AWS Management Console:
- Navigate to the EC2 Dashboard.
- Under Security in the left-hand pane, click on Security Groups.
- Locate the security group associated with your ELBv2.
- On the Inbound rules tab, modify or remove any rules that allow unrestricted access (0.0.0.0/0).
AWS CLI:
# Update security group rules
aws ec2 revoke-security-group-ingress \
--group-id <Your-Security-Group-ID> \
--protocol <Your-Protocol> \
--port <Your-Port> \
--cidr 0.0.0.0/0
Terraform:
resource "aws_security_group" "elbv2_sg" {
name = "my_elbv2_sg"
description = "Security Group for ELBv2"
vpc_id = "<Your-VPC-ID>"
ingress {
from_port = <Your-Port>
to_port = <Your-Port>
protocol = "<Your-Protocol>"
cidr_blocks = ["<Your-Allowed-IP-Ranges>"]
// Make sure 0.0.0.0/0 is not present here.
}
// ... other configurations ...
}
resource "aws_lb" "example" {
name = "my-lb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.elbv2_sg.id]
// ... other configurations ...
}
2. Monitoring and Alerts:
- Use Amazon CloudWatch or AWS Config to monitor changes to security group rules.
- Set up alerts to notify you when unrestricted access rules (0.0.0.0/0) are added.
3. Periodic Review:
- Regularly review your ELBv2 security groups to ensure they are not overly permissive and adhere to the principle of least privilege.
It is paramount to ensure that security groups attached to essential resources like ELBv2 are not overly permissive. By adhering to the principle of least privilege and allowing only necessary traffic, you significantly reduce the risk of potential malicious activities targeting your infrastructure.
Updated 11 months ago