|
Exploit Public-Facing Application: Overly Permissive VPC Security Groups
AWS Specific Sub-Technique
Other sub-techniques of Exploit Public-Facing Application (7)
| ID | Name |
|---|---|
| T1190.A016 | EC2 Hosted Application Compromise |
| T1190.A019 | Overly Permissive VPC Security Groups |
AWS Specific Content
A prerequisite for this technique is that an AWS resource has been configured with unrestricted or overly permissive VPC Security Groups, that there is a network path to the vpc-attached resource, and that there is an active listener
A resource that has been configured to have unnecessarily overly permissive VPC security groups is susceptible to scanning, probing, and denial of service attempts against the resource. This configuration can also allow brute force logins to the resource and provides threat actors with the ability to continue attempted access without restriction.
Detection
AWS Specific Content
Configure, review, and monitor VPC Flow logs for public access to resources. Use AWS Config with AWS managed rules to evaluate whether resources configured comply with common best practices (an example managed rule to mitigate against open security groups is available here). These best practices can be checked by AWS Security Hub to generate findings. Security Hub controls can also check whether the default security group of a VPC allows inbound or outbound traffic.
Amazon GuardDuty has detections and finding types for when anomalous traffic is being detected on an EC2 instance. An example of this is when an EC2 instance is communicating with a remote host on an unusual server port.
Mitigation
AWS Specific Content
Create the appropriate security group rules to restrict VPC security groups to only authorized entities. Additionally, AWS Network Firewall can be used to further manage and restrict access to a VPC, and monitor and protect your VPC traffic.