How to deny all inbound security group rules open to the internet using Firewall Manager with some exceptions?
My goal is to restrict security group rules that are open to the public i.e 0.0.0.0/0 or ::0 across multiple accounts (and regions) in an organization. With ***some ***exceptions e.g port 80 and port 443 can be open inbound to the public and maybe other custom exceptions later on for some OUs etc.
I found Firewall Manager seems to be the best tool for the job, using steps from:
I have created a "template" audit security group :
But the problem is although it's picking up noncompliant for a security group rule with ALL traffic it's not able to determine the right action to block/remove the rule? Is this because it contains HTTP and HTTPS within the range of ports? How can I get past this problem? If a user was to create the ALL inbound rule, I would want it to be denied.
One solution I thought of was to instead make a template with all the denies explicitly, and instead use that, but this seems to be an arduous task as you would need to make an ipv4 and ipv6 rule for each TCP / UDP port (> 65,534) which I clearly won't want to do. But I still want to operate from a basis of principle of least privilege which is why I liked the original solution; however, it is running into the issue with the ALL inbound rule. Any suggestions?
Thanks.
- Newest
- Most votes
- Most comments
I could be misunderstanding what you're trying to do and your question, but Security Group's do not support Deny rules. It's the absence of Allow rules that implicitly deny traffic. To deny traffic, you have the option of using a Network Access Control List (NACL). These operate on a subnet level.
Relevant content
- asked 2 years ago
- Accepted Answerasked 7 months ago
- asked 2 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
Yeah I think there was a misunderstanding, I'm not trying to create a deny all security group. To quote the goal and problem (with slight modification) in my original post:
"My goal is to restrict security group rules that are open to the public i.e 0.0.0.0/0 or ::0 across multiple accounts (and regions) in an organization. With ***some ***exceptions e.g port 80 and port 443 can be open inbound to the public and maybe other custom exceptions later on for some OUs etc.
The problem is although Firewall manager is picking up noncompliance for a security group rule with ALL traffic it's not able to determine the right action to block/remove the rule? Is this because it contains HTTP and HTTPS within the range of ports? How can I get past this problem? If a user was to create the ALL inbound rule, I would want the rule to be removed."
The idea is that users may manually create these open rules and I want those rules removed and/or not allowed to be created etc.
In