Pilih preferensi cookie Anda

Kami menggunakan cookie penting serta alat serupa yang diperlukan untuk menyediakan situs dan layanan. Kami menggunakan cookie performa untuk mengumpulkan statistik anonim sehingga kami dapat memahami cara pelanggan menggunakan situs dan melakukan perbaikan. Cookie penting tidak dapat dinonaktifkan, tetapi Anda dapat mengklik “Kustom” atau “Tolak” untuk menolak cookie performa.

Jika Anda setuju, AWS dan pihak ketiga yang disetujui juga akan menggunakan cookie untuk menyediakan fitur situs yang berguna, mengingat preferensi Anda, dan menampilkan konten yang relevan, termasuk iklan yang relevan. Untuk menerima atau menolak semua cookie yang tidak penting, klik “Terima” atau “Tolak”. Untuk membuat pilihan yang lebih detail, klik “Kustomisasi”.

Preferensi
Hubungi Kami
Umpan Balik
AWS Documentation
Buat Akun AWS
Automatically audit AWS security groups that allow access from public IP addresses - AWS Prescriptive Guidance
SummaryPrerequisites and limitationsArchitectureToolsBest practicesEpicsTroubleshootingRelated resources
Halaman ini belum diterjemahkan ke dalam bahasa Anda. Minta terjemahan

Automatically audit AWS security groups that allow access from public IP addresses

PDF

Created by Eugene Shifer (AWS) and Stephen DiCato (AWS)

Summary

As a security best practice, it's crucial to minimize the exposure of AWS resources to only what is absolutely necessary. For example, web servers that serve the general public need to allow inbound access from the internet, but access to other workloads should be restricted to specific networks to reduce unnecessary exposure. Security groups in Amazon Virtual Private Cloud (Amazon VPC) are an effective control to help you limit resource access. However, evaluating security groups can be a cumbersome task, especially in multi-account architectures. AWS Config rules and AWS Security Hub controls can help you identify security groups that permit access from the public internet (0.0.0.0/0) to specific network communication protocols, such as Secure Shell (SSH), HTTP, HTTPS, and Windows remote desktop protocol (RDP). However, these rules and controls are not applicable if services run on non-standard ports or if access is restricted to certain public IP addresses. For instance, this might occur when a web service is associated with TCP port 8443 instead of the standard TCP port 443. This might also occur when developers have access to the server from their home networks, such as for testing purposes.

To address this, you can use the infrastructure as code (IaC) solution provided in this pattern to identify security groups that allow access from any non-private (RFC 1918 noncompliant) IP addresses to any workload in your AWS account or AWS organization. The AWS CloudFormation template provisions a custom AWS Config rule, an AWS Lambda function, and the necessary permissions. You can deploy it as a stack in a single account or as a stack set across the entire organization, managed through AWS Organizations.

Prerequisites and limitations

Prerequisites

  • An active AWS account

  • Experience using GitHub

  • If you're deploying into a single AWS account:

    • Permissions to create CloudFormation stacks

    • AWS Config set up in the target account

    • (Optional) Security Hub set up in the target account

  • If you're deploying into an AWS organization:

    • Permissions to create CloudFormation stack sets

    • Security Hub set up with AWS Organizations integration

    • AWS Config set up in the accounts where you are deploying this solution

    • Designate an AWS account to be the delegated administrator for AWS Config and Security Hub

Limitations

  • If you're deploying to an individual account that doesn't have Security Hub enabled, you can use AWS Config to evaluate the findings.

  • If you're deploying to an organization that doesn't have a delegated administrator for AWS Config and Security Hub, you must log into the individual member accounts to view the findings.

  • If you use AWS Control Tower to manage and govern the accounts in your organization, deploy the IaC in this pattern by using Customizations for AWS Control Tower (CfCT). Using the CloudFormation console would create configuration drift from AWS Control Tower guardrails and require that you re-enroll the organizational units (OUs) or managed accounts.

  • Some AWS services aren’t available in all AWS Regions. For Region availability, see AWS services by Region. For specific endpoints, see the Service endpoints and quotas page, and choose the link for the service.

Architecture

Deploying into an individual AWS account

The following architecture diagram shows the deployment of the AWS resources within a single AWS account. You provision the resources by using a CloudFormation template directly through the CloudFormation console. If Security Hub is enabled, you can view the results in either AWS Config or Security Hub. If Security Hub is not enabled, you can view the results only in AWS Config.

Deployment of the IaC template as a CloudFormation stack in a single AWS account.

The diagram shows the following workflow:

  1. You create a CloudFormation stack. This deploys a Lambda function and an AWS Config rule. Both the rule and function are set up with the AWS Identity and Access Management (IAM) permissions that are required to publish resource evaluations in AWS Config and logs.

  2. The AWS Config rule operates in detective evaluation mode and invokes the Lambda function every 24 hours.

  3. The Lambda function assesses the security groups and sends updates to AWS Config.

  4. Security Hub receives all of the AWS Config findings.

  5. You can view the findings in Security Hub or in AWS Config, depending on the services that you have set up in the account.

Deploying into an AWS organization

The following diagram shows deployment of the pattern across multiple accounts that are managed through AWS Organizations and AWS Control Tower. You deploy the CloudFormation template through CfCT. The assessment outcomes are centralized in Security Hub in the delegated administrator account. The AWS CodePipeline workflow section of the diagram shows the background steps that occur during CfCT deployment.

Deployment of the IaC template as a CloudFormation stack set in an AWS organization.

The diagram shows the following workflow:

  1. In the management account, you upload a compressed (ZIP) file of the IaC template to an Amazon Simple Storage Service (Amazon S3) bucket that is deployed by CfCT.

  2. The CfCT pipeline unzips the file, runs cfn-nag (GitHub) checks, and deploys the template as a CloudFormation stack set.

  3. Depending on the configuration you specify in the CfCT manifest file, CloudFormation StackSets deploys stacks into individual accounts or specified OUs. This deploys a Lambda function and an AWS Config rule in the target accounts. Both the rule and function are set up with the IAM permissions that are required to publish resource evaluations in AWS Config and logs.

  4. The AWS Config rule operates in detective evaluation mode and invokes the Lambda function every 24 hours.

  5. The Lambda function assesses the security groups and sends updates to AWS Config.

  6. AWS Config forwards all of the findings to Security Hub.

  7. The Security Hub findings are aggregated in the delegated administrator account.

  8. You can view the aggregated findings in Security Hub in the delegated administrator account.

Tools

AWS services

  • AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and AWS Regions.

  • AWS Config provides a detailed view of the resources in your AWS account and how they’re configured. It helps you identify how resources are related to one another and how their configurations have changed over time. An AWS Config rule defines your ideal configuration settings for a resource, and AWS Config can evaluate whether your AWS resources comply with the conditions in the rule.

  • AWS Control Tower helps you set up and govern an AWS multi-account environment, following prescriptive best practices. Customizations for AWS Control Tower (CfCT) helps you customize your AWS Control Tower landing zone and stay aligned with AWS best practices. Customizations for this solution are implemented through CloudFormation templates and AWS Organizations service control policies (SCPs).

  • AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.

  • AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.

  • AWS Security Hub provides a comprehensive view of your security state in AWS. It also helps you check your AWS environment against security industry standards and best practices.

Other tools

  • Python is a general-purpose computer programming language.

Code repository

The code for this pattern is available in the GitHub Detect vulnerable security groups repository.

Best practices

We recommend that you adhere to the best practices in the following resources:

Epics

TaskDescriptionSkills required

Determine your deployment strategy.

Review the solution and code to determine the deployment strategy for your AWS environment. Determine whether you are deploying into a single account or an AWS organization.

App owner, General AWS

Clone the repository.

Enter the following command to clone the Detect vulnerable security groups repository:

git clone https://github.com/aws-samples/detect-public-security-groups.git
App developer, App owner

Validate the Python version.

  1. Navigate into the top-level directory in the cloned repository:

    cd detect-public-security-groups

  2. Open Security-Group-Public-Assessment.yaml.

  3. In the SgPublicAccessCheckLambdaFunction resource, confirm that the Python version is compatible with your target AWS Regions. By default, this function uses Python 3.12. For more information, see AWS Lambda adds support for Python 3.12. If necessary, update the Python version.

  4. Save and close Security-Group-Public-Assessment.yaml.

AWS administrator, App developer

Review the CloudFormation template

TaskDescriptionSkills required

Determine your deployment strategy.

Review the solution and code to determine the deployment strategy for your AWS environment. Determine whether you are deploying into a single account or an AWS organization.

App owner, General AWS

Clone the repository.

Enter the following command to clone the Detect vulnerable security groups repository:

git clone https://github.com/aws-samples/detect-public-security-groups.git
App developer, App owner

Validate the Python version.

  1. Navigate into the top-level directory in the cloned repository:

    cd detect-public-security-groups

  2. Open Security-Group-Public-Assessment.yaml.

  3. In the SgPublicAccessCheckLambdaFunction resource, confirm that the Python version is compatible with your target AWS Regions. By default, this function uses Python 3.12. For more information, see AWS Lambda adds support for Python 3.12. If necessary, update the Python version.

  4. Save and close Security-Group-Public-Assessment.yaml.

AWS administrator, App developer
TaskDescriptionSkills required

Deploy the CloudFormation template.

Deploy the CloudFormation template into your AWS environment. Do one of the following:

  • If you're deploying to a single AWS account, follow the instructions in Creating a stack.

  • If you're deploying to an organization that isn't managed by AWS Control Tower, follow the instructions in Create a stack set.

  • If you're deploying to an organization that is managed by AWS Control Tower, see the instructions in the Build your own customizations.

App developer, AWS administrator, General AWS

Verify the deployment.

In the CloudFormation console, verify that the stack or stack set has deployed successfully.

AWS administrator, App owner

Deploy the CloudFormation template

TaskDescriptionSkills required

Deploy the CloudFormation template.

Deploy the CloudFormation template into your AWS environment. Do one of the following:

  • If you're deploying to a single AWS account, follow the instructions in Creating a stack.

  • If you're deploying to an organization that isn't managed by AWS Control Tower, follow the instructions in Create a stack set.

  • If you're deploying to an organization that is managed by AWS Control Tower, see the instructions in the Build your own customizations.

App developer, AWS administrator, General AWS

Verify the deployment.

In the CloudFormation console, verify that the stack or stack set has deployed successfully.

AWS administrator, App owner
TaskDescriptionSkills required

View the AWS Config rule findings.

In Security Hub, do the following to view a list of individual findings:

  1. Open the Security Hub console.

  2. In the navigation pane, choose Findings.

  3. In the Add filters box, add the following filters:

    • Compliance Status is FAILED

    • Title is SgPublicAccessCheck

  4. Choose Apply.

In Security Hub, do the following to view a list of total findings grouped by AWS account:

  1. Open the Security Hub console.

  2. In the navigation pane, choose Insights.

  3. Choose Create insight.

  4. To select the grouping attribute for the insight:

    1. Choose the search box to display the filter options.

    2. Choose Group by.

    3. Select AwsAccountId.

    4. Choose Apply.

  5. In the Add filters box, add the following filters:

    • Title is SgPublicAccessCheck

    • Compliance Status is FAILED

  6. Choose Create insight.

  7. Enter an Insight name, and then choose Create insight.

In AWS Config, to view a list of findings, follow the instructions in Viewing Compliance Information and Evaluation Results in the AWS Config documentation.

AWS administrator, AWS systems administrator, Cloud administrator

Review the findings

TaskDescriptionSkills required

View the AWS Config rule findings.

In Security Hub, do the following to view a list of individual findings:

  1. Open the Security Hub console.

  2. In the navigation pane, choose Findings.

  3. In the Add filters box, add the following filters:

    • Compliance Status is FAILED

    • Title is SgPublicAccessCheck

  4. Choose Apply.

In Security Hub, do the following to view a list of total findings grouped by AWS account:

  1. Open the Security Hub console.

  2. In the navigation pane, choose Insights.

  3. Choose Create insight.

  4. To select the grouping attribute for the insight:

    1. Choose the search box to display the filter options.

    2. Choose Group by.

    3. Select AwsAccountId.

    4. Choose Apply.

  5. In the Add filters box, add the following filters:

    • Title is SgPublicAccessCheck

    • Compliance Status is FAILED

  6. Choose Create insight.

  7. Enter an Insight name, and then choose Create insight.

In AWS Config, to view a list of findings, follow the instructions in Viewing Compliance Information and Evaluation Results in the AWS Config documentation.

AWS administrator, AWS systems administrator, Cloud administrator

Troubleshooting

IssueSolution

The CloudFormation stack set creation or deletion fails.

When AWS Control Tower is deployed, it enforces necessary guardrails and assumes control over AWS Config aggregators and rules. This includes preventing any direct alterations through CloudFormation. To properly deploy or remove this CloudFormation template, including all associated resources, you must use CfCT.

CfCT fails to delete the CloudFormation template.

If the CloudFormation template persists even after making necessary changes in the manifest file and removing the template files, confirm that the manifest file contains the enable_stack_set_deletion parameter and that the value is set to false. For more information, see Delete a stack set in the CfCT documentation.

Related resources

Perlu bantuan?

PrivasiSyarat situsPreferensi cookie
© 2025, Amazon Web Services, Inc. atau afiliasinya. Semua hak dilindungi undang-undang.