Problem description
AWS security groups are aimed to filter the ingress/engress traffic to an EC2 instance. Security best practices require to ensure that AWS security groups constrain all public traffic and don’t allow unrestricted access (IP address with a /0 suffix) to reduce the possibility of cyberattacks, breaches and risks of data loss.
Our recommendations will help you find all security groups with unrestricted access (i.e. 0.0.0.0/0) to your EC2 instances using AWS CLI. As a result you’ll get a list of security groups with rules allowing unrestricted access, which helps you take essential actions from a security side and allow authorized from only known hosts.
Recommendations
Step 1
If we want to find all SGs we should go over all available regions.
AWS cli command:
aws ec2 describe-regions --query "Regions[].RegionName" --output textMore info could be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-regions.html
Step 2
For every available region we should go over all target ports (22 and 3389 in our case) and find all security groups with these ports that are allowed from zero-addresses cidr i.e. 0.0.0.0/0 for ipv4 and ::/0 for ipv6
AWS cli command:
aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output textMore info could be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-security-groups.html
Note 1
Inbound rules for security groups allow to specify port ranges like [20, 25]. Unfortunatelly AWS cli doesn’t allow comparison for server side filtering. In this case consider using something more powerfull than AWS cli.
Note 2
AWS cli has a pagination mechanism for large amounts of data in output. If you have many SGs in a region, the provided script will process only the first page. Consider using something more powerful than AWS cli.
As a result one line command:
for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do for port in 22 3389; do for groupId in $(aws ec2 describe-security-groups --region "$region" --filters Name=ip-permission.from-port,Values=$port Name=ip-permission.to-port,Values=$port --query 'SecurityGroups[?((IpPermissions.IpRanges.CidrIp == "0.0.0.0/0") || (IpPermissions.Ipv6Ranges.CidrIpv6 == "::/0"))].[GroupId]' --output text); do echo "Region: $region Port: $port GroupId: $groupId"; done; done; done
Output example:
…
Region: ap-south-1 Port: 3389 GroupId: sg-040f94474611b14fb
Region: ap-south-1 Port: 3389 GroupId: sg-0a79acb4f95e1ce90
Region: eu-west-3 Port: 22 GroupId: sg-0e88381b1b9c5c6b4
…
👆🏻 The security best practice is to remove passwords to the AWS Management Console when users leave your organization, no longer need them or just use access keys (a combination of an access key ID and a secret access key) to access to AWS account.
✔️ Find the best way to find inactive IAM users with AWS management console access to avoid security issues → https://hystax.com/the-best-way-to-find-inactive-iam-users-with-aws-management-console-access-to-avoid-security-issues
