Automating the deletion of specific inbound rules from any security groups in AWS via Config
Tanmay Shukla
Posted on February 13, 2023
Hello everyone ππ. Thanks for taking out time to read my blog. I hope you'll endup having little more knowledge and practical experience after completing this one.
Here is the simple workflow to understand what we want to achieve here.
As much as it is so much fun to create resources in cloud like AWS, it is also very important to keep your security checks in place. Because even one security breach is enough to take your cloud infrastructure down in some cases.
So i tell you a little story now, I used to create application on Elastic beanstalk as a developer since its very easy to create and managed which is aws managed service. Then after a while I noticed that elastic beanstalk creates the whole think as a cloudformation stack. One of the drawback of this is, it created the EC2 server with default security group rules (like SSH (port 22) open to anywhere i.e. 0.0.0.0/0 which is BIG NO NO !!)
So everytime EB create, rebuild or update the scurity groups, this SSH rule comes as default. Earlier i used manually delete those ssh rule after warning from Trust Advisor, which is very tedious but most important risky as we never know what could happen if we let SSH port open for even 5 minutes.
Now i found out a way by which you can automatically set the rule in AWS Config (it helps you assess, audit, and evaluate the configurations and relationships of your resources) and delete those rules with AWS SSM(Systems Manager) whenever config detects that rule in any of your security groups. So lets get started and understand the whole process.
AWS config continuously monitors the resources and configuration and takes the remediation actions on the basis of config rules.
Create the IAM Role for Systems Manager(AWS SSM)
1.) Go to AWS Management Console.
2.) Create a IAM role and give permissions to Allows SSM to call AWS services on your behalf.
Click on create a role, then select AWS services.
and usecase as Systems Manager.
On Next step choose the AmazonSSMAutomationRole policy from the list.
3.) Finally give the name and review the permissions of SSMAutomationRoleForConfig and create the Role
4.) After this attach one inline policy for giving the Role access to delete the Security groups. Below is the IAM policy for that.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}
]
}
Setup the AWS Config rules for Restricting the SSH access.
5.) Go to AWS Config, click on Add Rule.
6.) Now select the rule type as AWS Managed rule i.e. restricted-ssh from the Rules list.
7.) Configure the rule and give the intuitive name like restricted-ssh
then choose the Resources as security groups in the scope of changes section in Evaluation mode.
You can leave the other optionals like parameters and tags as default.
Finally review the Config rule and click on Add Rule once done.
Manage the remediation of Config rule.
8.) After creating, select the rule and in the Actions click on Manage Remediation.
Now select the Remediation action as automatic.
Then choose the remediation action as AWS-DisableincomingSShOnPort22. This will disable the unrestricted incoming SSH traffic on port 22 for EC2 security groups.
You can update the Rate limits as per your usecase or leave it default for now. And in the resource Id parameter, select the SecurityGroupIds(or else you can pass the resource ID of noncompliant resources to a remediation action by choosing a parameter that is dependent on the resource type.). But here we want do it for all security groups.
In the next section of parameters, the SecurityGroupIds will be greyed out, so no need to worry about that. And in the AutomationAssumeRole, put the ARN no. of Role that you created in above i.e. SSMAutomationRoleForConfig in our case.
Finally review everything and Save Changes.
Test if it really works π€.
- Go that EC2 dashboard, select any instance and edit the inbound rule of that security group as π¨π¨ SSH (port 22) allow to 0.0.0.0/0 (Warning: Please don't do that with production resources(or serious resources), use only testing servers that doesn't have anything to be compromised in any case.)
- If some body trys to allow ssh (port 22) inbound rule to a critical server so that he can ssh inside it and take away any data or harm the Application in someway.
Even if it is 5 minutes, we wonβt even know that someone has taken away the data or has done ssh into the virtual machine. You wonβt get any alarm also. But with config we can completely resolve this issue and secure our AWS Cloud infrastructure.
In a while you will see the remediation like below.
And you'll found that ssh rule will be deleted by config rule and AWS SSM StartAutomaticExectionAPI.
BONUS:
- If you want to setup alerts and notification if if find any resource as uncompliant. Get notified when an AWS resource is non-compliant using AWS Config?
- If any problem while setting this up, you can troubleshoot failed remediation actions in AWS Config?
If you find any issue while doing this please let me know in comments or you ca connect me directly.
Posted on February 13, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.