CRITICAL VPC · CIS 5.2

Open security groups

Check ID: aws-vpc-002

AWS-VPC-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for security groups with unrestricted inbound access (0.0.0.0/0 or ::/0) on sensitive ports like SSH, RDP, databases, or all traffic.

Why it matters

Security groups open to 0.0.0.0/0 on ports like SSH (22), RDP (3389), or database ports (3306, 5432, 1433) expose services to brute-force attacks from the entire internet. Shodan and Censys continuously scan all IPv4 addresses - a newly exposed SSH port receives automated login attempts within minutes. The 2023 MOVEit Transfer breach (CVE-2023-34362) was amplified because many organizations had the service port open to the internet. CIS AWS Benchmark 5.2 requires that no security group allows unrestricted ingress to administrative ports. Use VPN, AWS Systems Manager Session Manager, or EC2 Instance Connect to access instances instead of opening SSH to the world.

Common causes

Security groups are opened to 0.0.0.0/0 during initial development or troubleshooting when engineers need quick access and plan to restrict later. Teams working remotely from dynamic IP addresses open SSH to the world because maintaining IP allowlists feels impractical. Automated deployments sometimes use overly permissive security groups as defaults, and the restriction step is treated as a follow-up that never happens.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws ec2 revoke-security-group-ingress --group-id SG_ID --protocol tcp --port PORT --cidr 0.0.0.0/0 --region REGION

Remediation: Terraform

resource "aws_security_group_rule" "restrict" {
  type              = "ingress"
  security_group_id = "sg-xxx"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["YOUR_IP/32"]
}

Compliance mapping

This check maps to CIS 5.2 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related VPC checks

MEDIUM aws-vpc-001

Default VPC usage

MEDIUM aws-vpc-003

VPC flow logs

MEDIUM aws-vpc-004

Unrestricted NACL

← All checks