AWS Client VPN Authorization Rules Should Be Enabled Authorizing All Clients
More Info:
This rule checks if the AWS Client VPN authorization rules authorize connection access for all clients. Having authorization rules that allow access for all clients (AccessAll) can pose a security risk by potentially granting access to unauthorized users. The rule is marked as non-compliant if ‘AccessAll’ is present and set to true.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Remediation
Using Console
To remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled authorizing all clients, you can follow these steps using the AWS console:
-
Login to AWS Console: Go to the AWS Management Console and login to your account.
-
Navigate to AWS Client VPN: In the AWS Management Console, navigate to the AWS Client VPN service.
-
Select the Client VPN Endpoint: Select the Client VPN endpoint for which you want to enable authorization rules.
-
Click on the “Authorization” tab: In the Client VPN details page, click on the “Authorization” tab to view the current authorization rules.
-
Edit Authorization Rules: Click on the “Edit Authorization Rules” button to edit the authorization rules for the Client VPN.
-
Add a New Rule: Click on the “Add Rule” button to add a new authorization rule.
-
Configure the Authorization Rule: In the configuration for the new authorization rule, set the following values:
- Action: Allow
- Access to: All
- Clients: All
-
Save the Authorization Rule: After configuring the authorization rule, click on the “Save” button to save the rule.
-
Review and Apply Changes: Review the changes to ensure that the authorization rule is correctly configured to authorize all clients. Click on the “Apply changes” button to apply the new authorization rule.
-
Verify the Configuration: Verify that the authorization rule has been successfully applied by checking the list of authorization rules for the Client VPN endpoint.
By following these steps, you can remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients.
Using CLI
To remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients, you can follow these steps using the AWS CLI:
- List the existing authorization rules for the AWS Client VPN endpoint:
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <client-vpn-endpoint-id>
-
Identify the existing authorization rules that need to be updated to authorize all clients.
-
Update the authorization rules to authorize all clients by adding a new rule with CIDR range
0.0.0.0/0:
aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id <client-vpn-endpoint-id> --target-network-cidr 0.0.0.0/0
- Verify that the new authorization rule has been successfully added by listing the authorization rules again:
aws ec2 describe-client-vpn-authorization-rules --client-vpn-endpoint-id <client-vpn-endpoint-id>
By following these steps, you can remediate the misconfiguration of AWS Client VPN Authorization Rules not authorizing all clients on an AWS EC2 instance using the AWS CLI.
Using Python
To remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients for AWS EC2 using Python, you can follow these steps:
- Import the necessary Python libraries:
import boto3
- Initialize the AWS EC2 client:
ec2_client = boto3.client('ec2')
- Describe the existing Client VPN endpoints:
response = ec2_client.describe_client_vpn_endpoints()
- Get the Client VPN endpoint ID:
endpoint_id = response['ClientVpnEndpoints'][0]['ClientVpnEndpointId']
- Update the Client VPN endpoint authorization rules to allow all clients:
response = ec2_client.modify_client_vpn_endpoint(
ClientVpnEndpointId=endpoint_id,
SplitTunnel=True,
ClientConnectOptions={
'Enabled': True
}
)
- Verify that the authorization rules have been updated successfully:
response = ec2_client.describe_client_vpn_endpoints()
authorization_rules = response['ClientVpnEndpoints'][0]['ClientConnectOptions']['Enabled']
if authorization_rules:
print("Client VPN authorization rules have been successfully updated to allow all clients.")
else:
print("Failed to update Client VPN authorization rules.")
By following these steps and running the Python script, you can remediate the misconfiguration of AWS Client VPN Authorization Rules not being enabled to authorize all clients for AWS EC2.