AWS security group modification allowing access from any IP address
Description
AlphaSOC detected a modification to an AWS security group that now allows access from any IP address (0.0.0.0/0) to unusual ports or the SSH port (22). This change significantly broadens the attack surface by allowing inbound traffic from the entire internet.
Impact
Opening access from any IP address increases potential security risks for AWS resources. This configuration could allow unexpected access to services, particularly if combined with SSH access on port 22. While not automatically resulting in compromise, this broader access increases the likelihood of unauthorized connection attempts and may conflict with security best practices that recommend limiting access to known IP ranges. When SSH access is involved, there's additional risk as this could potentially be used for unauthorized system access if other security controls are not properly configured.
Severity
Severity | Condition |
---|---|
Informational | Modification of AWS security group detected |
Investigation and Remediation
Identify the user who made the change and the allowed IP range along with the affected ports (SSH on port 22 or any unusual ports). If unauthorized, revert the security group to its previous state, allowing only the necessary IP ranges and isolate the affected EC2 instance from the network. Determine which EC2 instances are affected by the modified security group, identify the services running on those instances, and assess their exposure to external threats.
Known False Positives
- Temporary allowance for maintenance or troubleshooting purposes by authorized personnel
- Automated scripts or infrastructure-as-code tools applying broad permissions during initial deployment stages
- Testing environments where security controls are intentionally relaxed for development purposes