In AWS, security groups act as a virtual firewall that regulates inbound/outbound traffic for service instances. Unlike traditional firewalls, however, security groups only allow you to create permissive rules. Users are not provided the ability to deny traffic. This means that if no rules are set for an instance, then all inbound/outbound traffic will be blocked.
Configuration Best Practices
As with any AWS service, it is crucial that AWS security groups are properly configured to protect against security risks and threats and best practices are followed:
1) VPC flow logging: Enable Virtual Private Cloud (VPC) flow logging. VPC flow logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic and provide insight during security workflows. It is one of AWS’s network monitoring services and enabling it will allow you to detect security and access issues such as overly permissive security groups, and alert on anomalous activities such as rejected connection requests or unusual levels of data transfer.
2) EC2: Ensure that EC2 security groups don’t have large ranges of ports open. With large port ranges open, vulnerabilities could be exposed. An attacker can scan the ports and identify vulnerabilities of hosted applications without easy traceability due to large port ranges being open.
3) RDS: Restrict access to RDS instances. When the VPC security groups associated with an RDS instance allow unrestricted access (i.e. source set to 0.0.0.0/0), entities on the internet can establish a connection to your database. This increases the risk of malicious activities such as brute-force attacks, SQL injections, or DoS attacks.
4) Redshift: Restrict access to redshift clusters. When redshift clusters are publicly accessible, entities on the internet can establish a connection to your databases. This increases the risk of malicious activities such as brute-force attacks, SQL injections, or DoS attacks.
5) Discrete security groups: Minimize the number of discrete security groups to decrease the risk of misconfiguration leading to account compromise.
Definitive Guide to Securing Workloads on AWS
Download this e-book to learn about AWS security challenges, detailed best practices around AWS and applications deployed in AWS, and how CASBs can secure your AWS infrastructureDownload Now
6) Outbound access: Restrict outbound access from ports to required entities only, such as specific ports or specific destinations.
7) Uncommon ports: Disallow unrestricted ingress access on uncommon ports. Allowing unrestricted inbound access to uncommon ports can increase opportunities for malicious activity such as hacking, data loss, brute-force attacks, DoS attacks, etc.
8) CIFS: Ensure that access through port 445 is restricted to required entities only. Common Internet File System (CIFS) is a commonly used protocol for communication and sharing data. Unrestricted access could potentially lead to unauthorized access to data.
9) FTP: File Transfer Protocol, or FTP, is an important protocol for client-server data transfer. In this case, both inbound and outbound access through port 20/21 needs to be restricted to required entities only.
10) ICMP: Ensure that access for Internet Control Message Protocol (ICMP) is restricted to required entities only. Unrestricted access could lead to data breaches as attackers could use ICMP to test for network vulnerabilities or employ DoS attack against the infrastructure.
11) MongoDB: An important resource for querying and indexing data, MongoDB is frequently used for a variety of reasons. As a result, it is crucial that access through port 27017 is only permitted for those who need it.
12) MSSQL: Ensure that access through port 1433 is restricted to required entities only.
13) MySQL: Ensure that access through port 3306 is restricted to required entities only.
14) Oracle DB: Ensure that access through port 1521 is restricted to required entities only.
15) PostgreSQL: Ensure that access through port 5432 is restricted to required entities only.
16) Remote desktop: Ensure that access through port 3389 is restricted to required entities only.
17) RPC: Ensure that access through port 135 is restricted to required entities only
18) SMTP: Ensure that access through port 25 is restricted to required entities only. Unrestricted SMTP access can be misused to spam your enterprise, launch DoS attacks, etc.
19) SSH: Secure Shell Protocol (SSH) establishes a secure connection. Ensure that access through port 22 is restricted to required entities.
20) Telnet: Telnet is useful for text-oriented communication through a virtual connection. This communication runs through port 23, which needs to be restricted to required entities to prevent unwanted access.
21) DNS: Domain Name Servers (DNS) act as an IP directory. Ensure that access through port 53 is restricted to required entities only.
How a CASB Secures AWS
The average enterprise uses 50 S3 buckets alone. Of these, 7% provide unrestricted public access while a whopping 35% of all S3 buckets remain unencrypted. And while Amazon offers several built-in security features, giving organizations the ability to enforce a wide range of security, compliance, and governance policies, AWS settings can be very deep.
Combine that with the fact that most organizations have a sprawling AWS environment and the security configurations are dynamic and can be changed at any time by an administrator, it becomes clear that manually checking AWS security configurations for services such as S3 buckets, EC2, security groups, etc can be prohibitive.
The recent news around AWS customer data leaks caused by misconfigured security settings has further highlighted the challenge of maintaining a secure AWS environment and the need for a security solution that mitigates instances of human errors. To that end a cloud access security broker (CASB) is a dedicated security solution that continuously monitors and automates AWS security configuration audits across multiple instances.
Skyhigh’s CASB monitors over 70 AWS security configuration settings across all AWS services and instances, and highlights those that are misconfigured or non-compliant with an organization’s information security management systems (ISMS) controls. Additionally, Skyhigh streamlines the process of correcting the misconfigured settings by providing a platform that automates the remediation of misconfigured AWS settings.
If you’d like an audit of the configurations of your AWS security groups you can register for our free AWS Audit here.