Security groups are an essential control when protecting both a resource or network in the Amazon Web Services cloud. They are rules that dictate who, entities by IP address and protocol, can communicate with your hosted networks and/or individual devices. A misconfigured rule can lead to near fatal results, granting access to the entire internet. With open access, malicious attackers will certainly make attempts to access the resource, increasing the chances of compromise by a wide margin.
Permitting traffic from any internet host to any port is generally discouraged, as a security best practice. Rules configured this way expose all ports and services on a host to any internet IP. This can result in malicious actors scanning administrative ports like SSH or RDP and attempting to brute force entry. These rules can almost always be reconfigured to be much more restrictive while still allowing legitimate users to connect to your application.
There are situations where it would be hard to avoid an any rule, for example, a web site having the necessity of being open to the world on ports 80 and 443. Very few situations, if none at all, should allow as a source all clients. Access needs to be explicitly stated where it is originating from. To make the process easier, IP ranges are commonly used to avoid having to add a running list host by host. For example, all of company xyz networks can be added as a source with a statement such as 128.59.0.0/16
An example any/any Security Group rule is shown below. Note the 'All' under 'Protocol' and 'Port Range'. 'All' in these columns means the remote host can connect to ANY port/service on your VM. Note also the 'Source' column. '0.0.0.0/0' and '::/0' means ANY IP address.
Instead, it is recommended to open traffic to ONLY the ports and IP ranges that your application requires. This may mean creating more complex rules, but it will result in greatly improved security. In the following example, the Security Group is configured to permit traffic from any IP address, but ONLY to ports 80 and 443, for web traffic. With this configuration, administrative ports like SSH and RDP are not open to the internet.
No comments:
Post a Comment