EC2 Instance Exposes an Administrative Port to Internet

Overview

This EC2 instance exposes a port commonly used for system administration to all IP addresses (0.0.0.0/0) on the internet. If SSH, RDP, or a similar service is running on the instance, an attacker could attempt to gain access through brute force or exposed credentials. This assessor checks port 22 (SSH) and 3389 (RDP) by default, but the list of ports is configurable.

It is best practice to limit access to SSH, RDP, and other administrative interfaces behind a bastion host or VPN that requires multi-factor authentication.

If you need to expose one of these services, you should take steps to mitigate risks of credential exposure including the use of multi-factor authentication, security tokens, and key based authentication.

Narrowing access to specific, trusted network ranges can reduce your risk, but FireMon Cloud Defense will still report the limited exposure as a lower severity issue if the network ranges are not included in your list of Known CIDRs.

Vendor

AWS

Cloud Service

EC2

Input

{"ports":{"label":"Ports","helpText":"List of ports to check for Internet exposure.","value":[22,3389],"type":"number[]"}}

References

https://en.wikipedia.org/wiki/Bastion_host, https://en.wikipedia.org/wiki/Private_network

Severity

Item Types

AWS::EC2::Instance

AWS::EC2::SecurityGroup, AWS::EC2::RouteTable

Overview​

Vendor​

Cloud Service​

Input​

References​

Severity​

Item Types​

Related Item Types​