EC2 group has HTTP port open to internet

ID

aws_ec2_group_http_port_open

Severity

low

Vendor

AWS

Resource

Network

Tags

reachable

Description

EC2 group has HTTP port open to internet. If the communication is through HTTP the data is not encrypted. A malicious user can see the data in plain text for the packages intercepted. Only HTTPS should be allowed.

By default, the HTTP ports consider are 80 and from 8080 to 8099. You can configure the HTTP ports in the http_ports parameter. This parameter contains a list of HTTP ports, separated by comma. You can put a port directly or a range with '-' (80, 8080-8099).

To fix it, you must denny the access to HTTP ports.

Learn more about this topic at AWS security group rules.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg for ICMP
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: icmp
            icmp_type: 3
            icmp_code: 1
            cidr_ip: 0.0.0.0/0
            from_port: 80
            to_port: 80

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg for ICMP
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: icmp
            icmp_type: 3
            icmp_code: 1
            cidr_ip: 0.0.0.0/0
            from_port: 443
            to_port: 443