Security groups with accidental or intentional access to the open internet can provide attackers potential pivots to other services. Often rules are added for troubleshooting purposes, not audited, and forgotten. Eventually, they are detected as the result of either an incident or a compliance audit.
Security groups control the traffic that can flow into AWS services. When they are wide open to the internet, they allow anyone to send traffic to your workloads.
This is the equivalent of not running firewalls on the perimeter of your data center or accidentally adding overly permissive statements like
permit ip any any to an evaluation, causing a network access control list to fail open. Based on compliance requirements for your business, not monitoring changes or remediating could be a violation.
Security groups can be attached to workloads such as EC2 instances, load balancers, or Amazon OpenSearch (managed ElasticSearch). While it is common to allow application traffic from the internet (for example: HTTP or HTTPS), management protocols such as SSH or RDP should not be exposed to anyone on the internet. Security group modifications should be monitored and evaluated against a policy on exposure.
Identify affected resources
Use the following command to show information about all security groups in the current region that have at least one ingress rule allowing traffic from anyone on the internet:
aws ec2 describe-security-groups \ --filter Name=ip-permission.cidr,Values=0.0.0.0/0,::/0
Use the values of
ToPort to identify risky open ports. These ports include, but are not limited to:
- FTP (ports 20 and 21)
- SSH (port 22)
- Telnet (port 23)
- SMTP (port 25)
- NetBIOS (ports 137 and 139)
- SMB (port 445)
- Microsoft SQL Server (port 1433)
- Docker API (port 2375)
- MySQL (3306)
- RDP (port 3389)
- PostgreSQL (port 5432)
- Redis (ports 6379 and 16379)
- ElasticSearch (ports 9200 and 9300)
- Kubelet (10250 and 10255)
- MongoDB (ports 27017 and 27018)
You can use the following command to identify security groups opening one of these ports to the internet:
aws ec2 describe-security-groups \ --filter Name=ip-permission.cidr,Values=0.0.0.0/0,::/0 \ --filter Name=ip-permission.from-port,Values=0,20,21,22,23,25,137,139,445,1433,2375,3306,3389,5432,6379,9200,9300,10250,10255,16379,27017,27018
Remediate vulnerable resources
Remove or adapt ingress rules that expose risky ports to the internet. You can also restrict them to specific public IPs. For remote management, it is recommended to use AWS SSM Session Manager which allows you to authenticate using your existing AWS identity, and does not require opening ingress ports.
To remove a security group rule, use the following command:
aws ec2 revoke-security-group-ingress \ --group-name your-security-group \ --protocol tcp \ --port 3389 \ --cidr 0.0.0.0/0
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the following out-of-the-box rules:
Control traffic to resources using security groups
Creating, configuring, and deleting security groups for Amazon EC2