VPC security group rules permit ingress from '0.0.0.0/0' to port 3389 Affecting VPC service in AWS

Snyk CCSS

Network / Hardening

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00169
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server's exposure to risk.

How to fix?

Remove any invalid ingress block from the aws_security_group.

An ingress block is invalid if it contains both of the following:

A 0.0.0.0/0 in the cidr_blocks field
3389 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 3389
    to_port     = 3389
    # other required fields here
  }
}

VPC security group rules permit ingress from '0.0.0.0/0' to port 3389 Affecting VPC service in AWS

Severity

Description

How to fix?

Example Configuration

CloudFormation

Terraform