AWS security group modification allowing access from any IP address
Description
AlphaSOC detected a modification to an AWS security group that now allows access from any IP address (0.0.0.0/0) to unusual ports or the SSH port (22). This change significantly broadens the attack surface by allowing inbound traffic from the entire internet.
Impact
Opening access from any IP address increases potential security risks for AWS resources. This configuration could allow unexpected access to services, particularly if combined with SSH access on port 22. Broadened access increases the probability of unauthorized connection attempts and may conflict with security best practices.
Severity
| Severity | Condition |
|---|---|
Informational | Modification of AWS security group detected |
Investigation and Remediation
Identify the user who made the change and the allowed IP range along with the affected ports (SSH on port 22 or any unusual ports). If unauthorized, revert the security group to its previous state, allowing only the necessary IP ranges and isolate the affected EC2 instance from the network. Determine which EC2 instances are affected by the modified security group, identify the services running on those instances, and assess their exposure to external threats.
Known False Positives
- Temporary allowance for maintenance or troubleshooting purposes by authorized personnel
- Automated scripts or infrastructure-as-code tools applying broad permissions during initial deployment stages
- Testing environments where security controls are intentionally relaxed for development purposes