We just published A Real-World Look at AWS Best Practices: Networking, part 6 of our AWS Best Practices series, looking closer at networking configurations with NACLs and Security Groups with respect to inbound access from the Internet to RDP and SSH, as well as the use of Default Security Groups (not recommended).
In reviewing anonymized customer, we found opportunities to improve security:
- Use More Secure Remote Access: Replace security groups that allow inbound Internet access to remote admin ports with more secure methods to remotely administer EC2 instances. 4% of the security groups in use allow inbound Internet access for SSH or RDP.
- Do Not Use Default Security Groups: Ensure that default security groups do not allow any traffic and are not used. 609 default security groups (1% of all security groups) are being used and allow traffic of some kind.
Some additional, relevant material you may want to also read:
- It’s All About Access: Remote Access Statistics for Public Cloud Workloads
- Leaving Bastion Hosts Behind Part 2: AWS
For our customers, we'd appreciate engaging with you to see how we can assist in improving network security:
- Are you able to use our CSPM product, Continuous Security Assessment, to help find these violations.
- To secure your VPCs and resources, are you using NACLs, just Security Groups, or both?
- What are you using for secure remote access to your compute instances / cloud applications? Do you use Netskope Private Access, the cloud vendor's solution, a custom ssh bastion host in a compute instance, or do you directly allow SSH or RDP inbound from the Internet? If the latter, are you using IP allow lists?