Stop Hackers at the Door: Auto-Remediate Open Ports in AWS

Let’s face it, managing security in the cloud can be a constant battle. Developers and AWS users, can knowingly/unknowingly leave sensitive ports like SSH (22),RDP (3389) or MySQL (port 3306) open to the public (0.0.0.0/0) in a security group. This creates a security nightmare, leaving your resources vulnerable to attackers.

Traditionally, we relied on SecurityHub to identify these misconfigurations. The process involved manually reviewing findings and then adjusting ingress rules. But what if there was a way to automate this entire process?

Enter AWS Config with auto-remediation: a powerful tool to streamline security management and keep your cloud environment safe.

AWS Config to the Rescue

Here’s how AWS Config with auto-remediation tackles the challenge of open ports:

1. Continuous Monitoring: The pre-built AWS Managed Config rule “vpc-sg-open-only-to-authorized-ports” constantly monitors your security groups. It acts like a vigilant guard, scanning for any ingress rules allowing unrestricted traffic on sensitive ports.
2. Non-Compliance Flag: If Config identifies a security group with unrestricted access to these ports, it raises a red flag. This flags the security group as “non-compliant,” highlighting a potential security risk.
3. Auto-Remediation (Optional): This is where things get exciting. You can configure auto-remediation to take immediate action. Upon detecting a non-compliant security group, Config can automatically close it, effectively shutting the door on potential attackers. This eliminates the need for manual intervention, ensuring a faster and more efficient response to security threats.

Implementation Steps:

(a) Enable AWS Config in the respective regions of your AWS accounts

(b) Add AWS Managed Config rule ‘vpc-sg-open-only-to-authorized-ports’

This rule ‘Checks if security groups allowing unrestricted incoming traffic (‘0.0.0.0/0’ or ‘::/0’) only allow inbound TCP or UDP connections on authorized ports. The rule is NON_COMPLIANT if such security groups do not have ports specified in the rule parameters’

You can also optionally define the list of TCP/UDP ports authorized to be open to public in the ‘Parameters’ section

© For the purpose of demo, I created a security group with ports 22,3389 and 443 exposed to public(0.0.0.0/0). Config rule evaluates and identifies non-compliant security groups. As expected, it identified the below security group created for demo purpose because it has sensitive ports SSH(22) and RDP(3389) open to public

(d) Choose ‘Automatic remediation’ and select ‘AWS-DisablePublicAccessForSecurityGroup’ as the remediation action

Note: ‘AWS-DisablePublicAccessForSecurityGroup’ remediation action works only for SSH and RDP ports exposed.

For automated remediation on other sensitive ports, refer step (g)

(e) Select ‘GroupId’ from the dropdown list of Resource ID parameter.

IpAddressToBlock = 0.0.0.0/0. You can mention other ip addresses as well that you want to block as per your requirement

For ‘AutomationAssumeRole’ mandatory parameter, create a role with ‘Systems Manager’ as the trusted entity and use below permission policy

Click ‘Save Changes’ to complete the setup of remediation action

(f) Auto-remediation kicks in and removes only the ingress rules which allowed SSH(22) and RDP(3389) from the security group leaving the other ingress rule for port https(443) intact.

Before Auto-remediation:

After Auto-remediation:

(g) Choose ‘AWS-CloseSecurityGroup’ as the remediation action when you want to automate the remediation on any of the sensitive ports including (MySQL,MSSQL,PostgreSQL etc) exposed to public. This remediation action removes all ingress and egress rules from the non-compliant security group.

Benefits of Auto-Remediation

• Faster Threat Response: Auto-remediation acts swiftly, closing the security gap before attackers can exploit it. This proactive approach minimizes potential damage.
• Reduced Manual Work: Gone are the days of manually sifting through SecurityHub findings and meticulously adjusting ingress rules. Config automates the entire process, freeing up your valuable time.
• Enhanced Security Posture: By proactively identifying and closing vulnerabilities, you create a more robust security environment for your cloud resources. This gives you peace of mind knowing your infrastructure is less susceptible to attacks.

A Word on Flexibility

While auto-remediation offers a powerful solution, it’s important to consider your specific needs. Perhaps some open ports require temporary public access for troubleshooting purposes. In such cases, leveraging Config for identification and then taking manual action for specific security groups might be preferable.

Conclusion

AWS Config with auto-remediation is a game-changer for cloud security. By automating the identification and remediation of open ports, you can significantly enhance your security posture and free yourself from tedious manual tasks. Remember, security is an ongoing process. Stay vigilant, leverage AWS tools like Config, and keep your cloud environment safe and secure!