Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.
Rationale
The potential security problem with using SSH over the Internet is that attackers can use various brute force techniques to gain access to Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Network or even attack networked devices outside of the Cloud.
Remediation guidance
AWS
Check your EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to TCP port 22. Restrict access to only those IP addresses that require it, in order to implement the principle of least privilege and reduce the possibility of a breach.
Perform the following to implement the prescribed state:
- Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
- In the left pane, click
Security Groups - For each security group, perform the following:
- Select the security group
- Click the
Inbound Rulestab - Identify the rules to be removed
- Click the
xin theRemovecolumn - Click
Save
Impact
For updating an existing environment, care should be taken to ensure that administrators currently relying on an existing ingress from 0.0.0.0/0 have access to ports 22 and/or 3389 through another security group.
References:
Azure
Where SSH is not explicitly required and narrowly configured for resources attached to the Network Security Group, Internet-level access to your Azure resources should be restricted or eliminated.
From Azure Console
- Go to
Virtual Machines - For each virtual machine you want to restrict SSH for, under
Settings, go toNetworking - In the list of inbound port rules, delete any
Allowrule with port 22 and withSourceasAny,Internetor0.0.0.0/0. Review allAllowrules with port 22 that have static IPs and remove the ones that are not necessary.
After direct SSH access from the Internet is disabled, you have other options you can use to access these virtual machines for remote management:
By default, SSH access from the internet is not enabled.
References:
Google Cloud
From Console
- Go to
VPC Network. - Go to the
Firewall Rules. - Click the
Firewall Ruleyou want to modify. - Click
Edit. - Modify
Source IP rangesto specificIP. - Click
Save.
**Via CLI gcloud **
- Update Firewall rule with new
SOURCE_RANGEfrom below command:
gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]]] --source-range=[CIDR_RANGE]
Impact
All SSH connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where ssh access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to SSH port for the concerned VPC(s).
References
- https://cloud.google.com/vpc/docs/firewalls#blockedtraffic
Notes
Currently Google Cloud VPC only supports IPV4 however, Google is already working on adding IPV6 support for VPC. In that case along with source IP range 0.0.0.0, rule should be checked for IPv6 equivalent ::0 as well.
Alibaba
Similar with Azure, you have to check your Elastic Compute Services (ECS) security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to TCP port 22.
References:
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Security Groups with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
securityGroups(
where: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}Firewalls with management ports not restricted from the internet
Connectors
Covered asset types
Expected check: eq []
{
firewalls(
where: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
) {
...AssetFragment
}
}
