Sensitive Ports are Exposed To Internet

Overview

Checks if instance was found to be exposed to the internet, by ensuring no security groups allow ingress from 0.0.0.0/0 or ::/0 or other Internet-accessible CIDR ranges, to the following ports:

MongoDB ports 27017 and 27018
FTP ports 20 or 21
port 22
port 3389
Cassandra ports 7199 or 9160 or 8888
Elasticsearch/Kibana ports 9200 or 9300 or 5601
Kafka port 9092
Memcached port 11211
MySQL port 3306
Oracle ports 1521 or 2483
Postgres port 5432
Redis port 6379
Windows SQL Server ports 1433 or 1434
Telnet port 23

Proper security group configurations are critical to decreasing your attack surface.

Vendor

AWS

Cloud Service

EC2

Input

{"ports":{"label":"Ports","helpText":"List of ports to check for Internet exposure.","value":[27017,27018,20,21,22,3389,7199,9160,8888,9200,9300,5601,9092,11211,3306,1521,2483,5432,6379,1433,1434,23],"type":"number[]"}}

CSMM v1 NET-02.1

References

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html, https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html, https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/authorizing-access-to-an-instance.html

Severity

Item Types

AWS::EC2::Instance

AWS::EC2::SecurityGroup

Overview​

Vendor​

Cloud Service​

Input​

Related Controls​

References​

Severity​

Item Types​

Related Item Types​