[Security] Restrict EC2 security group ingress on high-risk ports 22 and 3389#37
Draft
pagarwal-dev with Copilot wants to merge 2 commits into
Draft
[Security] Restrict EC2 security group ingress on high-risk ports 22 and 3389#37pagarwal-dev with Copilot wants to merge 2 commits into
pagarwal-dev with Copilot wants to merge 2 commits into
Conversation
… ports 22 and 3389 Co-authored-by: pagarwal-dev <224537592+pagarwal-dev@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix unrestricted access to high-risk ports in security groups
[Security] Restrict EC2 security group ingress on high-risk ports 22 and 3389
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
EC2 security group
sg-0da688dac8d2b15d7(us-east-2) allowed unrestricted ingress (0.0.0.0/0/::/0) on SSH (22) and RDP (3389), exposing the AuthenticationService to brute-force and exploitation from the public internet.Changes
terraform/providers.tf— AWS provider targetingus-east-2, pinned to Terraform ≥1.0 / AWS provider ~5.0terraform/variables.tf— Input variables forvpc_id,admin_cidr(SSH), andmanagement_cidr(RDP) with validation that rejects both unrestricted CIDRs (0.0.0.0/0,::/0) and malformed CIDR notation viacan(cidrhost(...))terraform/security_group.tf— Security group definition with least-privilege ingress and explicit egressThe variable validators act as a hard guardrail —
terraform plan/applywill fail if either CIDR is set to an unrestricted range, preventing accidental regression.Original prompt
This section details on the original issue you should resolve
<issue_title>[Security] [CRITICAL] Security groups should not allow unrestricted access to ports with high risk</issue_title>
<issue_description>> [!NOTE]
Severity: CRITICAL
Cloud Provider: AWS | Resource Type: EC2 Security Group
Problem Description
One or more EC2 security groups allow unrestricted ingress access to high-risk ports. Critical ports such as 22 for SSH and 3389 for RDP are commonly targeted by attackers for unauthorized access, brute force, or exploitation of vulnerabilities. Allowing ingress from 0.0.0.0/0 or ::/0 exposes these services to the entire internet and significantly increases the attack surface.
Remediation Guidance
Restrict ingress access on high-risk ports in the affected security groups so that only trusted networks or specific IP addresses can connect. Replace any rules that allow 0.0.0.0/0 or ::/0 on critical ports with least-privilege rules that match known administrative or application source networks. Where possible, separate administrative access from application traffic and clearly document the intent of each rule.
Affected Resources
Remediation Steps
Code Examples
Terraform
CloudFormation
Validation Steps
Copilot Instructions
Do
Do Not
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.