More Info:

No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).

Risk Level

Low

Address

Security

Compliance Standards

AWSWAF, SOC2, GDPR

Remediation

Using Console

To remediate the “Unrestricted HTTPS Access Should Not Be Allowed” misconfiguration in AWS, you can follow these steps:

  1. Log in to the AWS Management Console.
  2. Navigate to the AWS EC2 service.
  3. Click on the “Security Groups” option from the left-hand menu.
  4. Select the security group that is associated with the instance(s) that have unrestricted HTTPS access.
  5. Click on the “Inbound Rules” tab.
  6. Locate the HTTPS rule that has unrestricted access (i.e., source is set to “0.0.0.0/0” or ”::/0”).
  7. Click on the “Edit” button for the rule.
  8. Change the source to a more restrictive IP range or security group that requires HTTPS access.
  9. Click on the “Save Rules” button to apply the changes.

Note: If you are unsure which security group is associated with the instance(s) that have unrestricted HTTPS access, you can view the instance details to find the security group ID and then navigate to the Security Groups section to find the security group.

Using CLI

To remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI, follow these steps:

Step 1: Open the AWS CLI in your terminal or command prompt.

Step 2: Run the following command to list all the security groups in your AWS account:

aws ec2 describe-security-groups

Step 3: Identify the security group(s) that have unrestricted HTTPS access allowed.

Step 4: Run the following command to remove the HTTPS access rule from the identified security group(s):

aws ec2 revoke-security-group-ingress --group-id <security_group_id> --protocol tcp --port 443 --cidr 0.0.0.0/0

Note: Replace <security_group_id> with the actual ID of the security group that needs to be remediated.

Step 5: Verify that the HTTPS access rule has been removed by running the following command:

aws ec2 describe-security-groups --group-id <security_group_id>

Note: Replace <security_group_id> with the actual ID of the security group that was remediated.

Step 6: Repeat the above steps for all the security groups that have unrestricted HTTPS access allowed.

By following the above steps, you can remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI.

Using Python

To remediate the unrestricted HTTPS access issue in AWS using Python, you can follow the below steps:

  1. Identify the Security Group(s) which are allowing unrestricted HTTPS access.
  2. Using the AWS SDK for Python (Boto3), modify the inbound rules of the identified Security Group(s) to allow HTTPS access only from trusted sources.
  3. Create a script to automate this process for all the Security Group(s) in your AWS account.

Here is a sample Python code to remediate the issue:

import boto3

# Define the AWS region and security group id
region = 'us-east-1'
security_group_id = 'sg-0123456789abcdef'

# Create an EC2 client
ec2 = boto3.client('ec2', region_name=region)

# Get the existing inbound rules of the security group
response = ec2.describe_security_groups(GroupIds=[security_group_id])

# Modify the inbound rules to allow HTTPS access only from trusted sources
ec2.authorize_security_group_ingress(
    GroupId=security_group_id,
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 443,
            'ToPort': 443,
            'IpRanges': [
                {
                    'CidrIp': 'trusted_ip_address/32'
                }
            ]
        }
    ]
)

Note: Replace the region and security_group_id variables with your own values. Also, replace the trusted_ip_address with the IP address(es) of the trusted sources that should be allowed HTTPS access.

Additional Reading: