Skip to content

Restrict EC2 security group ingress on SSH (22) and RDP (3389) to trusted CIDRs#39

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-ec2-security-group-access
Draft

Restrict EC2 security group ingress on SSH (22) and RDP (3389) to trusted CIDRs#39
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/fix-ec2-security-group-access

Conversation

Copilot AI commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

Security group sg-064d2f895824a22f1 (us-east-2) had unrestricted ingress (0.0.0.0/0) on SSH and RDP, exposing instances directly to the internet.

Changes

  • infra/security_group.tf — Defines aws_security_group.authentication_service with SSH (22) and RDP (3389) ingress scoped to var.trusted_admin_cidr instead of 0.0.0.0/0/::/0. Each rule includes a description; resource tagged with Owner, Purpose, and ManagedBy.
  • infra/variables.tf — Declares trusted_admin_cidr (list(string), no default — forces explicit supply of approved CIDRs at deploy time) and vpc_id.
ingress {
  description = "SSH from trusted admin network"
  from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = var.trusted_admin_cidr  # e.g. ["10.0.0.0/24"]
}

The absence of a default on trusted_admin_cidr ensures no deployment can accidentally reintroduce an open CIDR.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] [CRITICAL] Security groups should not allow unrestricted access to ports with high risk</issue_title>
<issue_description>> [!NOTE]

This issue was generated by the SRX Security Agent.

Severity: CRITICAL
Cloud Provider: AWS | Resource Type: EC2 Security Group

Problem Description

One or more EC2 security groups allow unrestricted ingress from 0.0.0.0/0 or ::/0 on high-risk ports such as SSH (22) and RDP (3389). This configuration exposes instances directly to the internet, significantly increasing the risk of brute force attacks, credential stuffing, exploitation of vulnerabilities, and unauthorized access.

Remediation Guidance

Restrict ingress to high-risk ports in the EC2 security groups by removing unrestricted 0.0.0.0/0 and ::/0 rules and replacing them with tightly scoped CIDR ranges that represent approved administrative networks or jump hosts. Maintain least-privilege access while preserving required connectivity for operations and support.

Affected Resources

  • arn:aws:ec2:us-east-2:222634381402:security-group/sg-064d2f895824a22f1

Remediation Steps

  1. Update security group ingress rules for high-risk ports to replace 0.0.0.0/0 and ::/0 with approved CIDR ranges.
  2. Separate administrative access rules for SSH and RDP into dedicated rules that reference only trusted source networks.
  3. Remove any redundant or unused ingress rules that expose high-risk ports without a clear operational need.
  4. Add clear descriptions and tags on each high-risk port rule to document owner, purpose, and change context.

Code Examples

Terraform

resource "aws_security_group" "example" {
  name        = "<YOUR_SG_NAME>"
  description = "Restricted access to high-risk ports"
  vpc_id      = "<YOUR_VPC_ID>"

  ingress {
    description = "SSH from trusted admin network"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["<YOUR_TRUSTED_ADMIN_CIDR>"]
  }

  ingress {
    description = "RDP from trusted admin network"
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
    cidr_blocks = ["<YOUR_TRUSTED_ADMIN_CIDR>"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

CloudFormation

Resources:
  SecurityGroupExample:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Restricted access to high-risk ports
      VpcId: <YOUR_VPC_ID>
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: <YOUR_TRUSTED_ADMIN_CIDR>
          Description: SSH from trusted admin network
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: <YOUR_TRUSTED_ADMIN_CIDR>
          Description: RDP from trusted admin network

Validation Steps

  1. Review the IaC configuration to confirm that no ingress rules for ports 22 or 3389 reference 0.0.0.0/0 or ::/0.
  2. Verify that all high-risk port rules use only approved CIDR ranges that correspond to trusted administrative networks or jump hosts.
  3. Confirm that security group rule descriptions and tags clearly document owner, purpose, and ticket or change reference.
  4. Check for any remaining high-risk port rules that are not required and remove them if they are unused.

Copilot Instructions

Do

  • Search the repository for EC2 security group definitions related to the affected environment.
  • Identify ingress rules that allow 0.0.0.0/0 or ::/0 on high-risk ports such as 22 and 3389.
  • Modify existing security group resources to replace unrestricted CIDR ranges with placeholders for approved admin networks.
  • Preserve all non-security-related attributes on the security group resources while tightening ingress rules.

Do Not

  • Do not create new security groups if suitable existing groups already serve the same purpose.
  • Do not remove or rename security group resources or references without a clear requirement.
  • Do not introduce broader CIDR ranges than the current approved administrative scopes.
  • Do not modify unrelated networking resources such as route tables or subnets.

Generated by SRX Security Agent | triggered by Smora+47b201c5@newrelic.com</issue_description>

Comments on the Issue (you are @copilot in this section)


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

…orts

Co-authored-by: pagarwal-dev <224537592+pagarwal-dev@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix unrestricted access on high-risk ports in security groups Restrict EC2 security group ingress on SSH (22) and RDP (3389) to trusted CIDRs Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] [CRITICAL] Security groups should not allow unrestricted access to ports with high risk

2 participants