Skip to main content

AWS network infrastructure modification opening a wide range of ports

ID:aws_ec2_wide_ports_open
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0003:T1133

Description

AlphaSOC detected a modification to AWS network infrastructure that opens a wide range of ports. This action could potentially expose multiple services to the internet or internal networks. Such changes can significantly increase the attack surface of the infrastructure. Please note that if the protocol is unsupported (e.g. unknown or custom), AWS assumes that all ports are open. Actions initiated by AWS services and failed attempts are exempt from the detection to avoid false positives.

Impact

Opening a wide range of ports can significantly increase the vulnerability of AWS resources. It may expose sensitive services, databases, or management interfaces to potential attackers. This expanded attack surface can lead to unauthorized access, data breaches, or serve as an entry point for further lateral movement within the network.

Severity

SeverityCondition
Low
Wide range of ports opened

Investigation and Remediation

Investigate the AWS CloudTrail logs to determine who made the change and from where. Review the specific ports that were opened and determine if this aligns with any approved changes or legitimate business needs. If unauthorized, immediately revert the changes to close unnecessary ports. Conduct a thorough security assessment of potentially exposed services.