Restrict Security Group Access to All Ports

Identifying Ingress from 0.0.0.0/0 or ::/0 to All Ports
In AWS, security groups are the way that you control access to your environment. You have the responsibility of properly configuring the security group rules, though, and this can unintentionally create areas of insecurity. It’s critical that your security groups do not allow ingress from 0.0.0.0/0 or ::/0 to all ports. In this demo, AWS expert Mike Wise will walk through how to identify this within a security group’s inbound rules. 

  1. From the AWS Management Console, navigate to the EC2 Dashboard, then the Security Groups section. 
  2. Choose a security group to analyze. What do you see? Is this security group open to all IPs or port ranges? Open to any insecure ports or protocols?
  3. For this demonstration, let’s use a security group that is not open to all IPs but is open to all port ranges. Select the Inbound Rules tab. 
  4. For IPv4, if the source is 0.0.0.0/0 for TCP on all port ranges (0-65535), then this security group is being bypassed completely. For IPv6, if the source is ::/0 for TCP on all port ranges (0-65535), then this security group is also open to traffic passing through it. 

For a visual guide on how to identify and restrict security group access to all ports, watch the full demo. Read more on security group rules for different use cases here

Transcription 
Hello everyone! Welcome to today’s demo. Today, we’re going to talk about security groups and restriction of access. Security groups allow you to control external access into your environment and they allow you to have a lot of flexibility in doing that. When you have that flexibility, it allows you to also create environments or situations where it can be very insecure. In this case, we’re going to talk about security groups that allow ingress from all IPs to all ports. There’s no case where we really want to do this; we really always want to have some type of restriction on the access for any security group rules. We’re going to go through to see what it would look like if someone had created a security group rule that allows all access to all ports within your environment. 

First, let’s log in to our AWS Management Console. You’ll be presented with this screen, then you’ll choose “EC2.” This will take us to the EC2 management screen, then we’ll scroll down and click on “Security Groups.” This will take us to the “Security Groups” screen. I’ve already set up a security group where we’re going to be able to show what this is going to look like. We’re going to click on “demo-insecure-ports” security group. This security group right now is not completely open to all IPs, but it is open to all port ranges. 

We’re going to demonstrate what it would look like it all IPs were assigned for IPv6 or IPv4. We’re going to edit this rule. For IPv4, if you see something like 0.0.0.0/0, this means that in this specific instance, for TCP on all port ranges (0-65535) for all IPs, you are able to access through the security group. This means that this security group is being bypassed completely. Let’s look at what it would look like for IPv6. If we select ::/0, this means that for TCP on all ports (0-65535), for all IPv6 IPs, you can access through the security group. If you see a security group that’s written like this, that means that the security group is doing nothing and all traffic is passing through. It’s really important that we audit our security groups to make sure we’re providing appropriate perimeter restrictions to make sure that unlimited traffic is not coming into our environment. Thanks for viewing this demo and have a great day! 

Related Videos