EC2 group has no restrict access to administration ports

ID

aws_ec2_group_admin_ports_access

Severity

high

Vendor

AWS

Resource

Network

Tags

reachable

Description

EC2 group has no restrict access to administration ports (22, 3389). Unrestricted access can increase opportunities for malicious activities.

To fix it, you must configure range ips different to: cidr_ip=0.0.0.0/0 or cidr_ipv6=::/0.

Learn more about this topic at AWS Security Groups.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg with rule descriptions
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: tcp
            ports:
            - 22
            cidr_ip: 0.0.0.0/0
            rule_desc: allow all on port 22

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg with rule descriptions
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: tcp
            ports:
            - 22
            cidr_ip: 192.165.192.165/32
            rule_desc: allow all on port 22