Potential administrative port open to the world via AWS security group
Goal
Detect when an AWS security group is opened to the world on a port commonly associated with an administrative service.
Strategy
Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:
This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp
or @requestParameters.cidrIp
array to determine if either of the strings are contained - 0.0.0.0/0
or ::/0
for the following ports:
- 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 445 (SMB)
- 2375 (Docker daemon)
- 3389 (RDP)
- 5900 (VNC)
- 5985 (WinRM HTTP)
- 5986 (WinRM HTTPS)
Administrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.
Note: There is a separate rule to detect AWS Security Group Open to the World.
Triage and response
- Determine if
{{@userIdentity.session_name}}
should have made a {{@evt.name}}
API call. - If the API call was not made by the user:
- Rotate the user credentials.
- Determine what other API calls were made by the user.
- Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
- If the API call was made legitimately by the user:
- Advise the user to modify the IP range to the company private network or bastion host.
- Revert security group configuration back to known good state if required:
Changelog
- 26 August 2022 - Updated rule query
- 1 November 2022 - Updated rule query and severity.