Potential administrative port open to the world via AWS security group

Goal

Detect when an AWS security group is opened to the world on a port commonly associated with an administrative service.

Strategy

Monitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:

This rule inspects the @requestParameters.ipPermissions.items.ipRanges.items.cidrIp or @requestParameters.cidrIp array to determine if either of the strings are contained - 0.0.0.0/0 or ::/0 for the following ports:

  • 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 445 (SMB)
  • 2375 (Docker daemon)
  • 3389 (RDP)
  • 5900 (VNC)
  • 5985 (WinRM HTTP)
  • 5986 (WinRM HTTPS)

Administrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.

Note: There is a separate rule to detect AWS Security Group Open to the World.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
  • Rotate the user credentials.
  • Determine what other API calls were made by the user.
  • Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.
  1. If the API call was made legitimately by the user:
  • Advise the user to modify the IP range to the company private network or bastion host.
  1. Revert security group configuration back to known good state if required:

Changelog

  • 26 August 2022 - Updated rule query
  • 1 November 2022 - Updated rule query and severity.