forked from aquasecurity/cloud-security-remediation-guides
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of github.com:rtkwlf/cloud-security-remediation…
…-guides
- Loading branch information
Showing
121 changed files
with
623 additions
and
40 deletions.
There are no files selected for viewing
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open Cassandra Client | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open Cassandra Client | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if TCP port 9042 for Cassandra Client is open to the public | | ||
| | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Cassandra Client should be restricted to known IP addresses. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict TCP port 9042 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-cassandra-client/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-cassandra-client/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-cassandra-client/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-cassandra-client/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access to TCP port 9042 (source set to 0.0.0.0/0 or ::/0), take the following actions: | ||
| * From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only.</br> <img src="/resources/aws/ec2/open-cassandra-client/step6-1.png"/> | ||
| * **Custom** and specify: </br> <img src="/resources/aws/ec2/open-cassandra-client/step6-2.png"/> | ||
| * The static IP or Elastic IP of an authorized machine, using the /32 suffix (e.g., 203.0.113.25/32) for single-host access. | ||
| * An IP address range for trusted networks in CIDR notation (e.g., 203.0.113.0/24). | ||
| * The **Security Group ID** of another trusted group in the same region. | ||
| 7. Click the "Save rules" to apply the updates. </br> <img src="/resources/aws/ec2/open-cassandra-client/step7.png"/> | ||
| 8. Repeat steps 4 to 7 to update other EC2 security groups that permit unrestricted access to the cassandra client. | ||
| 9. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open Cassandra Monitoring | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open Cassandra Monitoring | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if TCP port 7199 for Cassandra Monitoring is open to the public | | ||
| | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Cassandra Monitoring should be restricted to known IP addresses. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict TCP port 7199 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-cassandra-client/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-cassandra-client/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-cassandra-client/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-cassandra-client/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access to TCP port 7199 (source set to 0.0.0.0/0 or ::/0), take the following actions: | ||
| * From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only.</br> <img src="/resources/aws/ec2/open-cassandra-client/step6-1.png"/> | ||
| * **Custom** and specify:</br> <img src="/resources/aws/ec2/open-cassandra-client/step6-2.png"/> | ||
| * The static IP or Elastic IP of an authorized machine, using the /32 suffix (e.g., 203.0.113.25/32) for single-host access. | ||
| * An IP address range for trusted networks in CIDR notation (e.g., 203.0.113.0/24). | ||
| * The **Security Group ID** of another trusted group in the same region. | ||
| 7. Click "Save rules" to apply the updates. </br> <img src="/resources/aws/ec2/open-cassandra-client/step7.png"/> | ||
| 8. Repeat steps 4 to 7 for all other security groups that that permit unrestricted access to the cassandra monitoring in the current region. | ||
| 9. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open Cassandra Thrift | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open Cassandra Thrift | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if TCP port 9160 for Cassandra Thrift is open to the public. | | ||
| | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Cassandra Thrift should be restricted to known IP addresses. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict TCP port 9160 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-cassandra-client/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-cassandra-client/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-cassandra-client/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-cassandra-client/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access to TCP port 9160 (source set to 0.0.0.0/0 or ::/0), take the following actions: | ||
| 1. From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only.</br> <img src="/resources/aws/ec2/open-cassandra-client/step6-1.png"/> | ||
| * **Custom** and specify:</br> <img src="/resources/aws/ec2/open-cassandra-client/step6-2.png"/> | ||
| * The static IP or Elastic IP of an authorized machine, using the /32 suffix (e.g., 203.0.113.25/32) for single-host access. | ||
| * An IP address range for trusted networks in CIDR notation (e.g., 203.0.113.0/24). | ||
| * The **Security Group ID** of another trusted group in the same region. | ||
| 7. Click "Save rules" to apply the updates. </br> <img src="/resources/aws/ec2/open-cassandra-client/step7.png"/> | ||
| 8. Repeat steps 4 to 7 for all other security groups that that permit unrestricted access to the cassandra thrift in the current region. | ||
| 9. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
Empty file.
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open LDAP | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open LDAP | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if TCP or UDP port 389 for LDAP is open to the public. | | ||
| | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as LDAP should be restricted to known IP addresses. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict TCP or UDP port 389 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-ldap/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-ldap/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-ldap/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-ldap/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access (source set to 0.0.0.0/0 or ::/0) to port 389, take the following actions: | ||
| * From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only (ideal for administrative purposes).</br> <img src="/resources/aws/ec2/open-ldap/step6-1.png"/> | ||
| * **Custom**: specify trusted IP ranges using CIDR notation, such as:</br> <img src="/resources/aws/ec2/open-ldap/step6-2.png"/> | ||
| * A single IP: `203.0.113.25/32`. | ||
| * A subnet: `203.0.113.0/24`. | ||
| * A Security Group ID for internal AWS access. | ||
| 7. Click "Save rules" to apply the updated security group settings. </br> <img src="/resources/aws/ec2/open-ldap/step7.png"/> | ||
| 8. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open LDAPS | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open LDAPS | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if TCP port 636 for LDAP SSL is open to the public. | | ||
| | **More Info** | LDAP SSL port 636 is used for Secure LDAP authentication. Allowing Inbound traffic from any IP address to TCP port 636 is vulnerable to DoS attacks. It is a best practice to block port 636 from the public internet. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict TCP port 636 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-ldaps/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-ldaps/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-ldaps/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-ldaps/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access (source set to 0.0.0.0/0 or ::/0) to port 636, take the following actions: | ||
| * From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only (ideal for administrative purposes).</br> <img src="/resources/aws/ec2/open-ldaps/step6-1.png"/> | ||
| * **Custom**: specify trusted IP ranges using CIDR notation, such as:</br> <img src="/resources/aws/ec2/open-ldaps/step6-2.png"/> | ||
| * A single IP: `203.0.113.25/32`. | ||
| * A subnet: `203.0.113.0/24`. | ||
| * A Security Group ID for internal AWS access. | ||
| 7. Click "Save rules" to apply the updated security group settings. </br> <img src="/resources/aws/ec2/open-ldaps/step7.png"/> | ||
| 8. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open MongoDB | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open MongoDB | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if TCP port 27017 or 27018 or 27019 for MongoDB is open to the public | | ||
| | **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as MongoDB should be restricted to known IP addresses. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict TCP port 27017 or 27018 or 27019 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-mongodb/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-mongodb/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-mongodb/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-mongodb/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access to TCP port 27017, 27018 or 27019 (source set to 0.0.0.0/0 or ::/0), take the following actions: | ||
| * From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only.</br> <img src="/resources/aws/ec2/open-mongodb/step6-1.png"/> | ||
| * **Custom** and specify: </br> <img src="/resources/aws/ec2/open-mongodb/step6-2.png"/> | ||
| * The static IP or Elastic IP of an authorized machine, using the /32 suffix (e.g., 203.0.113.25/32) for single-host access. | ||
| * An IP address range for trusted networks in CIDR notation (e.g., 203.0.113.0/24). | ||
| * The **Security Group ID** of another trusted group in the same region. | ||
| 7. Click the "Save rules" to apply the updates. </br> <img src="/resources/aws/ec2/open-mongodb/step7.png"/> | ||
| 8. Repeat steps 4 to 7 to update other EC2 security groups that permit unrestricted access to the MongoDB database. | ||
| 9. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| [](https://cloudsploit.com) | ||
|
|
||
| # AWS / EC2 / Open SNMP | ||
|
|
||
| ## Quick Info | ||
|
|
||
| | | | | ||
| |-|-| | ||
| | **Plugin Title** | Open SNMP | | ||
| | **Cloud** | AWS | | ||
| | **Category** | EC2 | | ||
| | **Description** | Determine if UDP port 161 for SNMP is open to the public. | | ||
| | **More Info** | SNMP UDP 161 used by various devices and applications for logging events, monitoring and management. Allowing Inbound traffic from any external IP address on port 161 is vulnerable to DoS attack. It is a best practice to block port 161 completely unless explicitly required. | | ||
| | **AWS Link** | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/changing-security-group.html#add-remove-security-group-rules | | ||
| | **Recommended Action** | Restrict UDP port 161 to known IP addresses. | | ||
|
|
||
| ## Detailed Remediation Steps | ||
| 1. Log in to the AWS Management Console. | ||
| 2. From "Services" menu, select "EC2". </br> <img src="/resources/aws/ec2/open-snmp/step2.png"/> | ||
| 3. In the left navigation pane, under "Network & Security", click "Security Groups".</br> <img src="/resources/aws/ec2/open-snmp/step3.png"/> | ||
| 4. Select the "EC2 Security Group" that needs to be updated. </br> <img src="/resources/aws/ec2/open-snmp/step4.png"/> | ||
| 5. Go to the "Inbound rules" tab and click "Edit inbound rules".</br> <img src="/resources/aws/ec2/open-snmp/step5.png"/> | ||
| 6. For any inbound rule allowing unrestricted access (source set to 0.0.0.0/0 or ::/0) to port 161, take the following actions: | ||
| * From the **Source** dropdown, select one of the following: | ||
| * **My IP** (if you have a static IP) to restrict access to your machine only (ideal for administrative purposes).</br> <img src="/resources/aws/ec2/open-snmp/step6-1.png"/> | ||
| * **Custom**: specify trusted IP ranges using CIDR notation, such as:</br> <img src="/resources/aws/ec2/open-snmp/step6-2.png"/> | ||
| * A single IP: `203.0.113.25/32`. | ||
| * A subnet: `203.0.113.0/24`. | ||
| * A Security Group ID for internal AWS access. | ||
| 7. Click "Save rules" to apply the updated security group settings. </br> <img src="/resources/aws/ec2/open-snmp/step7.png"/> | ||
| 8. Switch AWS regions in the top navigation bar to repeat this process for other regions. |
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.