Skip to content

[Security] Restrict EC2 security group ingress on high-risk ports 22 and 3389#37

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-security-group-access
Draft

[Security] Restrict EC2 security group ingress on high-risk ports 22 and 3389#37
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-security-group-access

Conversation

Copilot AI commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

EC2 security group sg-0da688dac8d2b15d7 (us-east-2) allowed unrestricted ingress (0.0.0.0/0/::/0) on SSH (22) and RDP (3389), exposing the AuthenticationService to brute-force and exploitation from the public internet.

Changes

  • terraform/providers.tf — AWS provider targeting us-east-2, pinned to Terraform ≥1.0 / AWS provider ~5.0
  • terraform/variables.tf — Input variables for vpc_id, admin_cidr (SSH), and management_cidr (RDP) with validation that rejects both unrestricted CIDRs (0.0.0.0/0, ::/0) and malformed CIDR notation via can(cidrhost(...))
  • terraform/security_group.tf — Security group definition with least-privilege ingress and explicit egress
ingress {
  description = "SSH from admin network"
  from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = [var.admin_cidr]      # never 0.0.0.0/0
}

ingress {
  description = "RDP from management network"
  from_port   = 3389
  to_port     = 3389
  protocol    = "tcp"
  cidr_blocks = [var.management_cidr] # never 0.0.0.0/0
}

egress {
  description = "HTTPS outbound for authentication flows"
  from_port   = 443
  to_port     = 443
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]
}

The variable validators act as a hard guardrail — terraform plan/apply will fail if either CIDR is set to an unrestricted range, preventing accidental regression.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] [CRITICAL] Security groups should not allow unrestricted access to ports with high risk</issue_title>
<issue_description>> [!NOTE]

This issue was generated by the SRX Security Agent.

Severity: CRITICAL
Cloud Provider: AWS | Resource Type: EC2 Security Group

Problem Description

One or more EC2 security groups allow unrestricted ingress access to high-risk ports. Critical ports such as 22 for SSH and 3389 for RDP are commonly targeted by attackers for unauthorized access, brute force, or exploitation of vulnerabilities. Allowing ingress from 0.0.0.0/0 or ::/0 exposes these services to the entire internet and significantly increases the attack surface.

Remediation Guidance

Restrict ingress access on high-risk ports in the affected security groups so that only trusted networks or specific IP addresses can connect. Replace any rules that allow 0.0.0.0/0 or ::/0 on critical ports with least-privilege rules that match known administrative or application source networks. Where possible, separate administrative access from application traffic and clearly document the intent of each rule.

Affected Resources

  • arn:aws:ec2:us-east-2:222634381402:security-group/sg-0da688dac8d2b15d7

Remediation Steps

  1. Update ingress rules for the affected EC2 security groups to remove any entries that allow 0.0.0.0/0 or ::/0 on high-risk ports such as 22 and 3389.
  2. Add new ingress rules that permit required access to high-risk ports only from approved CIDR ranges or specific IP addresses.
  3. Split broad ingress rules into narrower, purpose-specific rules that align with the minimal access required by each consumer of the service.
  4. Add or update rule descriptions and tags to document the intended use, owner, and justification for each high-risk port rule.
  5. Align the security group configuration with organizational security standards and any applicable regulatory requirements for remote access and network exposure.

Code Examples

Terraform

resource "aws_security_group" "example_sg" {
  name        = "<YOUR_SECURITY_GROUP_NAME>"
  description = "Restricted access to high-risk ports"
  vpc_id      = "<YOUR_VPC_ID>"

  # Restricted SSH access from an approved admin network
  ingress {
    description = "SSH from admin network"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["<YOUR_ADMIN_CIDR>"]
  }

  # Example of restricted RDP access
  ingress {
    description = "RDP from management network"
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
    cidr_blocks = ["<YOUR_MANAGEMENT_CIDR>"]
  }

  # Other necessary, least-privilege rules for application traffic can be defined here
}

# Remove or modify any existing ingress blocks that allow 0.0.0.0/0 or ::/0 on high-risk ports.

CloudFormation

Resources:
  RestrictedSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Restricted access to high-risk ports
      VpcId: <YOUR_VPC_ID>
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: <YOUR_ADMIN_CIDR>
          Description: SSH from admin network
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: <YOUR_MANAGEMENT_CIDR>
          Description: RDP from management network
      # Remove or replace any rules that allow 0.0.0.0/0 or ::/0 on high-risk ports.

Validation Steps

  1. Review the IaC configuration for each affected security group to confirm that no ingress rules allow 0.0.0.0/0 or ::/0 on high-risk ports.
  2. Confirm that all high-risk port rules reference only approved CIDR ranges or specific IP addresses based on documented access requirements.
  3. Check that rule descriptions and tags clearly identify the purpose and owner for each high-risk port rule.
  4. Compare the resulting configuration against organizational network access standards and any relevant compliance controls.
  5. Verify that application and administrative connectivity requirements are satisfied using the updated, restricted rules.

Copilot Instructions

Do

  • Search the repository for existing aws_security_group or AWS::EC2::SecurityGroup definitions related to the affected environment or account.
  • Modify existing security group resources to replace unrestricted ingress on high-risk ports with restricted rules that use approved CIDR ranges.
  • Preserve existing non-security attributes and only adjust ingress rules required to remove public exposure.
  • Keep rule descriptions and tags consistent with organizational naming and documentation standards.
  • Use the provided Terraform and CloudFormation examples as templates, substituting appropriate values for the target environment.

Do Not

  • Do not create duplicate security groups when an existing one is clearly associated with the affected resources.
  • Do n...

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

… ports 22 and 3389

Co-authored-by: pagarwal-dev <224537592+pagarwal-dev@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix unrestricted access to high-risk ports in security groups [Security] Restrict EC2 security group ingress on high-risk ports 22 and 3389 Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] [CRITICAL] Security groups should not allow unrestricted access to ports with high risk

2 participants