Control: AWS > PCI v3.2.1 > EC2 > 5 Security groups should not allow ingress from 0.0.0.0/0 to port 22

This control checks whether security groups in use disallow unrestricted incoming SSH traffic.

It does not evaluate outbound traffic.

Note that security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out regardless of outbound rules.

Remediation

Perform the following steps for each security group associated with a VPC.

1. Open the Amazon VPC console. 2. In the navigation pane, under Security, choose Security groups. 3. Select a security group. 4. In the bottom section of the page, choose Inbound rules. 5. Choose Edit inbound rules. 6. Identify the rule that allows access through port 22 and then choose the X to remove it. 7. Choose Save rules.

PCI requirement(s): 1.2.1, 1.3.1, 2.2.2

Resource Types

This control targets the following resource types:

AWS > VPC > Security Group

Policies

This control type relies on these other policies when running actions:

AWS > PCI v3.2.1

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupRemoteAdministration

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupRemoteAdministration") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupRemoteAdministration'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/vpcSecurityGroupRemoteAdministration"