How do I troubleshoot the error "InvalidPermission.NotFound" with auto remediation for the AWS Config rule vpc-sg-open-only-to-authorized-ports?

2 minute read
0

I want to use the AWS-DisablePublicAccessForSecurityGroup runbook to turn off SSH and RDP ports. However, auto remediation fails with the "InvalidPermission.NotFound" error.

Short description

The AWS Config rule vpc-sg-open-only-to-authorized-ports checks if a security group allows inbound TCP or UDP traffic to 0.0.0.0/0. For example, to allow TCP ports 443 and 1020-1025 access to 0.0.0.0/0, specify the ports in the AWS Config rule parameter.

The AWS-DisablePublicAccessForSecurityGroup AWS Systems Manager automation runbook is limited to the following ports:

  • Default SSH 22 and RDP 3389 ports open to all IP addresses (0.0.0.0/0).
  • An IPv4 address that uses the IpAddressToBlock parameter.

Resolution

When you don't correctly configure your security group, the AWS-DisablePublicAccessForSecurityGroup runbook fails with an InvalidPermission.NotFound client error and the RevokeSecurityGroupIngress API action.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To verify the error message, run the describe-remediation-execution-status command similar to the following example:

aws configservice describe-remediation-execution-status
  --config-rule-name vpc-sg-open-only-to-authorized-ports
  --region us-east-1
  --resource-keys resourceType=AWS::EC2::SecurityGroup,resourceId=sg-1234567891234567891

The inbound rules for the security group must specify open ports with patterns that are provided on the AWS-DisablePublicAccessForSecurityGroup runbook page.

To configure auto remediation for other ports, including 22 and 3389, use a custom Systems Manager document to automate the process. For more information, see Creating SSM document content.

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago