Skip to main content

AWS security group modification allowing access from any IP address

ID:aws_ec2_open_port
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0003:T1133

Description

AlphaSOC detected a modification to an AWS security group that now allows access from any IP address (0.0.0.0/0) to unusual ports or the SSH port (22). This change significantly broadens the attack surface by allowing inbound traffic from the entire internet.

Impact

Opening access from any IP address increases potential security risks for AWS resources. This configuration could allow unexpected access to services, particularly if combined with SSH access on port 22. While not automatically resulting in compromise, this broader access increases the likelihood of unauthorized connection attempts and may conflict with security best practices that recommend limiting access to known IP ranges. When SSH access is involved, there's additional risk as this could potentially be used for unauthorized system access if other security controls are not properly configured.

Severity

SeverityCondition
Informational
Modification of AWS security group detected

Investigation and Remediation

Identify the user who made the change and the allowed IP range along with the affected ports (SSH on port 22 or any unusual ports). If unauthorized, revert the security group to its previous state, allowing only the necessary IP ranges and isolate the affected EC2 instance from the network. Determine which EC2 instances are affected by the modified security group, identify the services running on those instances, and assess their exposure to external threats.

Known False Positives

  • Temporary allowance for maintenance or troubleshooting purposes by authorized personnel
  • Automated scripts or infrastructure-as-code tools applying broad permissions during initial deployment stages
  • Testing environments where security controls are intentionally relaxed for development purposes