Close risky open admin ports in Security Groups

Close administrative ports that are open to everyone

Close on Security groups ingress access to administration ports (22 and 3389) that are not restricted (0.0.0.0/0). Coordinate with IT teams using these ports on alternative methods (see below) to ensure that they can continue operations.

We recommend using AWS Systems Manager Fleet Manager that does not require opening any inbound ports, or the use of hardened bastions. Requires an SSM Agent that is preinstalled on many aws managed AMIs and a role (EC2 Instance Profile) with AmazonSSMManagedEC2InstanceDefaultPolicy

If you can’t use SSM Fleet Manager, evaluate using EC2 Instance Connect , or at least restrict the IPs that can access to the administration ports.

How to check

Risk Mitigation

  • Allowing unrestricted ingress access to administration ports (22 and 3389) is a significant risk, as often the hosts are not properly patched and hardened, adversaries could try to leverage a vulnerability to access and take control, or they could achieve access through SSH and RDP BruteForce attacks.

Guidance for assessments

  • Are you allowing unrestricted ingress access to administration ports (22/3389) ? If you’re unsure you can leverage AWS Security Hub’s controls EC2.13 & EC2.14
  • How are you managing the administrative network access to your instances ?

Pricing

Security Groups: no additional cost.

AWS Security Hub: https://aws.amazon.com/security-hub/pricing
The service has a 30-day trial period (free trial)
The service has a site to verify current usage and estimate future usage.

AWS Firewall Manager: https://aws.amazon.com/firewall-manager/pricing/