Find any instances or TCP ELBs with port 22 (ssh) or 3389 (RDP) open.
One of the most common security exposures are instances in security groups with ports 22 or 3389 open to the Interent (0.0.0.0/0). These are typically administrative servers and jump boxes. This Op identifies any security groups with the administrative ports open, and then determine if there are any exposed instances within those security groups. It can’t differentiate between instances that are Internet accessible, in ones that are still protected because they are in a private subnet.
DisruptOps users can choose to lock down the security group to pre-approved IP addresses, or completely quarantine the instances.
Supported Issue Types:
Instance exposed to Internet
- The instance has Port 22 or 3389 open to 0.0.0.0/0
Instance at risk but not exposed
- The instance has Port 22 or 3389 open to 0.0.0.0/0 but is not in a publicly accessible subnet
- Restrict to approved IP address
- Revoke security group ingress rules
In our last post, we walked through the console and highlighted making the most of the Security Hub console and some tips and tricks to make it more useful. Today I want to dive into one of the best parts of Security Hub — taking actions on events and findings.
Security Ops Waiting Game Remember in the olden days, when central IT ruled the land? If an application required fixes or new capabilities, the business put in a change order, and the IT folks