6.20 Ensure Web tier Security Group has no inbound rules for CIDR of 0 (Global Allow)


A _security group_ acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in the AWS Virtual Private Cloud (VPC), you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add _rules_ that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.
Considering any of the non-public tiers receive requests only either from the upper tier or from resources inside the same VPC, any inbound rules that allow traffic from any source ( are not necessary and should be removed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Using the Amazon unified command line interface:

* Remove the ingress rules for CIDR (use the "WebTierSecurityGroup" element from Audit procedure):

aws ec2 revoke-security-group-ingress --group-id _<__web_tier_security_group_> --protocol tcp/udp --port _<specific_port>_ --cidr

See Also


Item Details


References: 800-53|SC-7(11)

Plugin: amazon_aws

Control ID: 2c4a08d7580cf62ad3d9a68076681c2a356e127fcadbcf6cfc5ba7341780b205