Potential administrative port open to the world via AWS security group

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an AWS security group is opened to the world on a port commonly associated with an administrative service.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - 0.0.0.0/0 or ::/0 for the following ports:

  • 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 445 (SMB)
  • 2375 (Docker daemon)
  • 3389 (RDP)
  • 5900 (VNC)
  • 5985 (WinRM HTTP)
  • 5986 (WinRM HTTPS)

Administrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: There is a separate rule to detect AWS Security Group Open to the World.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.
  1. Revert security group configuration back to known good state if required:

Changelog

  • 26 August 2022 - Updated rule query
  • 1 November 2022 - Updated rule query and severity.
PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc