lacework-global-150
Security Group should not allow inbound traffic from all to TCP port 9200 or 9300 (Opensearch/Elasticsearch)
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Best practices recommend that no security group allows unrestricted ingress access to your AWS resources via TCP ports 9200 or 9300 (Opensearch/Elasticsearch) to prevent any unauthorized access.
Remediation
- Sign in to the AWS Management Console.
- Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
- In the left navigation panel, under Network & Security section, choose Security Groups.
- Select the EC2 security group that you want to examine.
- Select the Inbound rules tab from the dashboard bottom panel.
- Verify the value available in the Source column for any inbound/ingress rules with a port range that includes 9200 or 9300, or where a port is not specified and the rule allows all protocols. If one or more rules have the source set to 0.0.0.0/0, the selected security group allows unrestricted traffic to ports 9200 or 9300, therefore the access to the EC2 instances associated with the security group is not restricted.
- To update the Source field to a range other than 0.0.0.0/0, select the 'Security group rule ID' you want to change, and click 'Edit inbound rules'.
- From here you can set the new Source field range, and click 'Save rules' to save the changes.
- It is also possible to remove the offending inbound rule completely by following the preceding steps, and instead of updating the Source field range, click 'Delete' followed by 'Save rules'.