Ensure Security Groups with All Inbound Public Traffic are Business-Approved

Description:

AWS Security Groups serve as virtual firewalls to regulate inbound and outbound traffic for associated resources. If a security group permits all inbound traffic from the public internet (0.0.0.0/0), it creates a potential security vulnerability, exposing associated resources to potential attacks. While there are legitimate scenarios where specific resources might need to be accessible to the entire internet (e.g., a public website), such configurations should always be explicitly business-approved to ensure they are intentional and not the result of an oversight or misconfiguration.

Remediation:

1. Identify Security Groups with All Inbound Public Traffic:

AWS Management Console:
  • Navigate to the EC2 Dashboard.
  • In the left navigation pane, choose Security Groups.
  • Review the inbound rules for each security group, specifically looking for rules allowing access from 0.0.0.0/0.

2. Verify Business Approval:

For each security group with broad public access:

  • Consult with the team or individual responsible for the resource associated with that security group.
  • Determine the business need for the open access.
  • If the broad access is business-approved, document the justification and approval.
  • If the open access is not justified or lacks proper approval, restrict access to only the necessary IP addresses or ranges.
AWS Management Console:
  • For the identified security group with broad public access, select the group.
  • Under the Inbound rules tab, choose Edit inbound rules.
  • Modify or remove the rule that allows all public traffic and save changes.

3. Implement Monitoring:

  • Regularly audit security groups for overly permissive inbound rules.
  • Use tools like AWS Config to set up rules that will alert you when security groups with broad public access are created or modified.
  • Establish a workflow for obtaining and documenting business approval for such configurations.

Recommendation:

Always approach security group configurations with a principle of least privilege in mind. Even if a resource requires broad access, always ensure this is a conscious, documented decision backed by a valid business reason. Implementing regular audits, automated checks, and approval workflows can help maintain a secure AWS environment, reduce potential attack surfaces, and ensure adherence to security best practices.

Updated 5 months ago