Open Security Groups

Description

Security groups with inbound rules allowing 0.0.0.0/0 or ::/0 to sensitive ports (SSH 22, RDP 3389, databases) expose workloads to the internet, enabling brute‑force and exploit scanning. Overly permissive egress rules (0.0.0.0/0) also allow data exfiltration and command‑and‑control.

Examples

List Wide-Open Rules

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?contains(IpRanges[*].CidrIp,'0.0.0.0/0')]].[GroupId,GroupName,IpPermissions]"
aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?contains(Ipv6Ranges[*].CidrIpv6,'::/0')]].[GroupId,GroupName]"

Verify Exposure

Attempt to reach the port from the internet or use external scanners to validate reachability.

Identify attached resources

aws ec2 describe-network-interfaces --filters Name=group-id,Values=<sg-id> \
  --query 'NetworkInterfaces[*].Attachment.InstanceId'

Remediation

1. Restrict ingress to known CIDRs or private networks.
2. Use SSM Session Manager, AWS Verified Access, or a VPN/bastion instead of direct SSH/RDP.
3. Lock down egress
   • Deny 0.0.0.0/0 egress where possible; allow only required destinations (e.g., patch mirrors, APIs) via VPC endpoints.
4. Defense in depth
   • Apply NACLs, AWS Network Firewall, and reachability analysis; remove public IPs where not needed and place workloads behind ALB/NLB.