How can I troubleshoot the error "InvalidPermission.NotFound" with the AWS Config rule vpc-sg-open-only-to-authorized-ports and Systems Manager Automation document AWS-DisablePublicAccessForSecurityGroup?

2 minute read

I created the AWS Systems Manager Automation document AWS-DisablePublicAccessForSecurityGroup to disable SSH and RDP ports. However, auto-remediation fails with the AWS Config rule vpc-sg-open-only-to-authorized-ports. I receive an error similar to the following:

"An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group."

Short description

The AWS Config rule checks that the security group allows inbound TCP or UDP traffic to 0.0.0.0/0. For example, to allow TCP ports 443 and 1020-1025 access to 0.0.0.0/0, specify the ports in the AWS Config rule parameter. The SSM Document AWS-DisablePublicAccessForSecurityGroup is limited to the default SSH 22 and RDP 3389 ports opened to all IP addresses (0.0.0.0/0), or a specified IPv4 address using the IpAddressToBlock parameter.

Resolution

The client error InvalidPermission.NotFound with the RevokeSecurityGroupIngress API action means that the target security group doesn't have an inbound rule, or isn't located in the default Amazon Virtual Private Cloud (Amazon VPC).

Important: Before you begin, be sure that you installed and configured the AWS Command Line Interface (AWS CLI).

To verify the error message, run the AWS CLI command describe-remediation-execution-status similar to the following:

aws configservice describe-remediation-execution-status --config-rule-name vpc-sg-open-only-to-authorized-ports --region af-south-1 --resource-keys resourceType=AWS::EC2::SecurityGroup,resourceId=sg-1234567891234567891

The inbound rules for the security group must specify open ports using one of the following patterns:

0.0.0.0/0

::/0

SSH or RDP port + 0.0.0.0/0

SSH or RDP port + ::/0

To configure auto-remediation for other ports including 22 and 3389, you can use a custom SSM document to automate the process. For instructions, see Creating Systems Manager documents.

Related information

Why did the AWS Config auto remediation action for the SSM document AWS-ConfigureS3BucketLogging fail with the error "(MalformedXML)" when calling the PutBucketLogging API?

How can I resolve the error "NoSuchRemediationConfigurationException" or "unexpected internal error" when trying to delete a remediation action in AWS Config?

Topics

Management & Governance

Relevant content

How to enable AWS Systems Manager for Multi Account and Multi Region
Accepted Answer
AWS-User-9561877
asked 3 years ago
AWS Config Rule Automatic Remediation Failed (SSM Automation shows Success)
bielosx
asked 6 months ago
System Manager Automation Document restriction to use the S3 PutObject
CrateDigger
asked a month ago
How to troubleshoot AWS Config remediations issues?
CMPSoares
asked a year ago
Can I delete AWS Systems Manager Automation Execution History entries?
Patrick Mau
asked a year ago
Why did the AWS Config auto remediation action for the SSM document AWS-ConfigureS3BucketLogging fail with the error "(MalformedXML)" when calling the PutBucketLogging API?
AWS OFFICIALUpdated 3 years ago
How do I resolve permission errors with auto remediation for the AWS Config rule s3-bucket-logging-enabled?
AWS OFFICIALUpdated 3 years ago
How can I troubleshoot AWS Config console error messages?
AWS OFFICIALUpdated a month ago
How can I troubleshoot failed remediation actions in AWS Config?
AWS OFFICIALUpdated 2 years ago
Support Automation Workflow (SAW) Runbook: Troubleshoot AWS Systems Manager Session Manager
EXPERT
Maya Karalic
published 2 months ago