> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Unrestricted HTTPS Access Should Not Be Allowed

### More Info:

No security group should allow unrestricted inbound access to TCP port 443 (HTTPS).

### Risk Level

Low

### Address

Security

### Compliance Standards

AWSWAF, SOC2, GDPR

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the "Unrestricted HTTPS Access Should Not Be Allowed" misconfiguration in AWS, you can follow these steps:

        1. Log in to the AWS Management Console.
        2. Navigate to the AWS EC2 service.
        3. Click on the "Security Groups" option from the left-hand menu.
        4. Select the security group that is associated with the instance(s) that have unrestricted HTTPS access.
        5. Click on the "Inbound Rules" tab.
        6. Locate the HTTPS rule that has unrestricted access (i.e., source is set to "0.0.0.0/0" or "::/0").
        7. Click on the "Edit" button for the rule.
        8. Change the source to a more restrictive IP range or security group that requires HTTPS access.
        9. Click on the "Save Rules" button to apply the changes.

        Note: If you are unsure which security group is associated with the instance(s) that have unrestricted HTTPS access, you can view the instance details to find the security group ID and then navigate to the Security Groups section to find the security group.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI, follow these steps:

        Step 1: Open the AWS CLI in your terminal or command prompt.

        Step 2: Run the following command to list all the security groups in your AWS account:

        ```
        aws ec2 describe-security-groups
        ```

        Step 3: Identify the security group(s) that have unrestricted HTTPS access allowed.

        Step 4: Run the following command to remove the HTTPS access rule from the identified security group(s):

        ```
        aws ec2 revoke-security-group-ingress --group-id <security_group_id> --protocol tcp --port 443 --cidr 0.0.0.0/0
        ```

        Note: Replace `<security_group_id>` with the actual ID of the security group that needs to be remediated.

        Step 5: Verify that the HTTPS access rule has been removed by running the following command:

        ```
        aws ec2 describe-security-groups --group-id <security_group_id>
        ```

        Note: Replace `<security_group_id>` with the actual ID of the security group that was remediated.

        Step 6: Repeat the above steps for all the security groups that have unrestricted HTTPS access allowed.

        By following the above steps, you can remediate the misconfiguration of unrestricted HTTPS access in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the unrestricted HTTPS access issue in AWS using Python, you can follow the below steps:

        1. Identify the Security Group(s) which are allowing unrestricted HTTPS access.
        2. Using the AWS SDK for Python (Boto3), modify the inbound rules of the identified Security Group(s) to allow HTTPS access only from trusted sources.
        3. Create a script to automate this process for all the Security Group(s) in your AWS account.

        Here is a sample Python code to remediate the issue:

        ```
        import boto3

        # Define the AWS region and security group id
        region = 'us-east-1'
        security_group_id = 'sg-0123456789abcdef'

        # Create an EC2 client
        ec2 = boto3.client('ec2', region_name=region)

        # Get the existing inbound rules of the security group
        response = ec2.describe_security_groups(GroupIds=[security_group_id])

        # Modify the inbound rules to allow HTTPS access only from trusted sources
        ec2.authorize_security_group_ingress(
            GroupId=security_group_id,
            IpPermissions=[
                {
                    'IpProtocol': 'tcp',
                    'FromPort': 443,
                    'ToPort': 443,
                    'IpRanges': [
                        {
                            'CidrIp': 'trusted_ip_address/32'
                        }
                    ]
                }
            ]
        )
        ```

        Note: Replace the `region` and `security_group_id` variables with your own values. Also, replace the `trusted_ip_address` with the IP address(es) of the trusted sources that should be allowed HTTPS access.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/vpc/latest/userguide/VPC\_SecurityGroups.html#AddRemoveRules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules)
