Alibaba Cloud
AWS
Google Cloud
Microsoft AzureOverview
Cyscale looks for virtual machines reachable from the internet on administration ports (22, 3389). To reduce the risk of data breaches, configure the security groups/firewalls to allow access only from specific sources or re-consider whether you really need SSH/RDP access.
Remediation guidance
Azure
Disable direct SSH access to your Azure Virtual Machines from the Internet. After direct SSH access from the Internet is disabled, you have other options you can use to access these virtual machines for remote management:
- Point-to-site VPN
- Site-to-site VPN
- ExpressRoute
By default, SSH access from the internet is not enabled.
For more details check Azure specific control for this issue: azure-1-3-0-networking-2.
References
AWS
Check your EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to TCP port 22. Restrict access to only those IP addresses that require it, in order to implement the principle of least privilege and reduce the possibility of a breach.
References
Alibaba
Similar with Azure, you have to check your Elastic Compute Services (ECS) security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to TCP port 22.
For more details check the Alibaba Specific control for this issue: cis-alibaba-1-0-0-networking-2.
References
Google Cloud
Make sure that you don't have any Firewall Rule that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to TCP port 22 for any of your VPC Networks.
For more details check the Google Cloud specific control for this issue: gcp-networking-3.
References
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Alibaba Cloud
Use Resource Directory guardrails, account baselines, and IaC modules so the secure setting is applied consistently across environments.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Publicly Accessible VMs for AWS/Alibaba
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
publicIpAddress_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}Publicly Accessible VMs for Azure
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: {
publicIp_NOT: null
securityGroups_SOME: {
rules_SOME: {
direction: "Inbound"
action: "Allow"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
{ sources_INCLUDES: "tag:Internet" }
{ sources: [] }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
}
) {
...AssetFragment
}
}
Publicly Accessible VMs for Google Cloud
Connectors
Covered asset types
Expected check: eq []
{
vms(
where: {
networkInterfaces_SOME: { NOT: { accessConfigs_SOME: null } }
NOT: { name_STARTS_WITH: "gke-" }
firewalls_SOME: {
rules_SOME: {
direction: "Inbound"
AND: [
{
OR: [
{ sources_INCLUDES: "cidr:0.0.0.0/0" }
{ sources_INCLUDES: "cidr:::/0" }
]
}
{
OR: [
{ destFromPort_LTE: 22, destToPort_GTE: 22 }
{ destFromPort_LTE: 3389, destToPort_GTE: 3389 }
]
}
]
}
}
}
) {
...AssetFragment
}
}
