lacework-global-199
Security group attached to Application Load Balancer should not allow inbound traffic from all
Description
Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. Best practices recommend that no security group allows unrestricted ingress access to your Application Load Balancers (ALB) to prevent any unauthorized access.
Remediation
- Sign in to the AWS Management Console.
- Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.
- In the left frame of the EC2 Dashboard, select Load Balancing > Load Balancers.
- Select the Load Balancer that has the violation reported by Lacework.
- Under the Description tab, click an attached security-group.
- Select the Inbound rules tab from the dashboard bottom panel.
- Check the value in the Source column for any inbound/ingress rules with a port range of 0-65535, or where Protocol = All and Port range = All. If one or more rules have the source set to 0.0.0.0/0, the selected security group allows unrestricted IPv4 traffic to all ports, therefore the access to the EC2 instances associated with the security group is not restricted.
- To update the Source field to a range other than 0.0.0.0/0, select the 'Security group rule ID' you want to change, and click 'Edit inbound rules'.
- From here you can set the new Source field range, and click 'Save rules' to save the changes.
- It is also possible to remove the offending inbound rule completely by following the preceding steps, and instead of updating the Source field range, click Delete followed by 'Save rules'.
- Repeat steps 5-10 for each attached security group.