By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to deny all inbound security group rules open to the internet using Firewall Manager with some exceptions?

0

My goal is to restrict security group rules that are open to the public i.e 0.0.0.0/0 or ::0 across multiple accounts (and regions) in an organization. With ***some ***exceptions e.g port 80 and port 443 can be open inbound to the public and maybe other custom exceptions later on for some OUs etc.

I found Firewall Manager seems to be the best tool for the job, using steps from:

I have created a "template" audit security group :

Enter image description here

But the problem is although it's picking up noncompliant for a security group rule with ALL traffic it's not able to determine the right action to block/remove the rule? Is this because it contains HTTP and HTTPS within the range of ports? How can I get past this problem? If a user was to create the ALL inbound rule, I would want it to be denied.

Enter image description here

One solution I thought of was to instead make a template with all the denies explicitly, and instead use that, but this seems to be an arduous task as you would need to make an ipv4 and ipv6 rule for each TCP / UDP port (> 65,534) which I clearly won't want to do. But I still want to operate from a basis of principle of least privilege which is why I liked the original solution; however, it is running into the issue with the ALL inbound rule. Any suggestions?

Thanks.

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Firewall ManagerSecurity Group
Language
English
Brian
asked a month ago815 views
1 Answer
0

I could be misunderstanding what you're trying to do and your question, but Security Group's do not support Deny rules. It's the absence of Allow rules that implicitly deny traffic. To deny traffic, you have the option of using a Network Access Control List (NACL). These operate on a subnet level.

AWS
AWS_Or
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • Brian
    a month ago

    Yeah I think there was a misunderstanding, I'm not trying to create a deny all security group. To quote the goal and problem (with slight modification) in my original post:

    "My goal is to restrict security group rules that are open to the public i.e 0.0.0.0/0 or ::0 across multiple accounts (and regions) in an organization. With ***some ***exceptions e.g port 80 and port 443 can be open inbound to the public and maybe other custom exceptions later on for some OUs etc.

    The problem is although Firewall manager is picking up noncompliance for a security group rule with ALL traffic it's not able to determine the right action to block/remove the rule? Is this because it contains HTTP and HTTPS within the range of ports? How can I get past this problem? If a user was to create the ALL inbound rule, I would want the rule to be removed."

    The idea is that users may manually create these open rules and I want those rules removed and/or not allowed to be created etc.

    In

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content