Ensure no security groups allow ingress from to SSH (TCP:22)

Risk Level: Critical
AWS Security Group
Rule ID: D9.AWS.NET.01
Category: Networking & Content Delivery
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22.

gsl logic

SecurityGroup should not have inboundRules with [scope = '' and port<=22 and portTo>=22]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language


Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.
From Portal
1. Login to the AWS Management Console and open Amazon VPC console https://console.aws.amazon.com/vpc/home
2. In the navigation pane, choose Security Groups.
3. For each security group, perform the following:
4. Select the security group
5. Click the Inbound Rules tab
6. Identify the rules to be removed
7. Edit the inbound rule , change the source cidr range or Delete the rule.
8. Click Save

From TF
Add CIDR range to restrict ingress access to port 22.

resource "aws_security_group" "test" {
 name = "allow_tls4"
 description = "Allow TLS inbound traffic"

 ingress {
  description = "TLS from VPC"
  from_port = 22
  to_port = 22
  protocol = "tcp"
  - cidr_blocks = [""]
  + cidr_blocks = [""]

From Command Line
To make sure security groups doesn't allow ingress from to SSH (TCP:22), run:

aws ec2 revoke-security-group-ingress --region REGION --group-name GROUP-NAME --protocol PROTOCOL --port 22 --cidr

1. https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
2. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html?highlight=ingress
4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#ingress

Auto Remediation Using Cloudbots

cloudbot_name: sg_single_rule_delete

What it does: Deletes a single rule on a security group Usage: sg_single_rule_delete split=<true|false> protocol=<TCP|UDP> scope=<a.b.c.d/e> direction=<inbound|outbound> port=

Example: sg_single_rule_delete split=false protocol=TCP scope= direction=inbound port=22 Sample GSL: SecurityGroup should not have inboundRules with [scope = '' and port<=22 and portTo>=22]

Conditions and caveats: Deleting a single rule on a security group can be difficult because the problematic port can be nested within a wider range of ports. If SSH is open because a SG has all of TCP open, do you want to delete the whole rule or would you break up the SG into the same scope but port 0-21 and a second rule for 23-end of TCP port range? Currently the way this is being addressed is using the 'split' parameter. If it's set as false, CloudBots will only look for the specific port in question. If it's nested within a larger port scope, it'll be skipped. If you set split to true, then the whole rule that the problematic port is nested in will be removed and 2 split rules will be added in its place (ex: if port 1-30 is open and you want to remove SSH, the new rules will be for port 1-21 and port 23-30).

If you want to delete a rule that is open on ALL ports: Put Port 0 as the port to be deleted and the bot will remove the rule. If you want to delete a rule that is open to ALL : Put protocol=ALL and the bot will remove the open rule that configured with ALL as protocol If you want to delete a rule that is open no matter to the configured protocol Put protocol=* and the bot will remove the open rule
Set Split to True sg_single_rule_delete split=true protocol=TCP scope= direction=inbound port=0

Limitations: IPv6 is not supported

AWS Security Group

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

Compliance Frameworks