We have found that you have at least one of your security groups’ IP ports open to all internal AWS servers. This can potentially make some of your servers vulnerable. This issue can occur if one of your security groups was configured to allow access to the following IP range - 10.0.0.1/8.  

We suggest limiting access of internal AWS servers to these open ports in one of the following ways:

• IP Address: Limit access to a specific IP address of an instance that is yours (e.g.  10.17.48.156/32)
• Security Group: Limit access to a certain security group (i.e. use another security group’s rules to limit access (e.g. sg-3c02c053).  

Identification

Our identification of the issue is based on the following data:

• One or more security groups were configured to allow AWS servers to access their open IP ports 10.0.0.1/8.
• We have identified that one or more of your AWS instances are using the security group with the open IP ports.

Instructions

View security groups

 AWS Management Console

1. Log in to the AWS Management Console and click the Amazon EC2 tab.
2. In the Navigation pane click Security Groups. The console displays a list of security groups that belong to the account.
3. To view more information about a security group, including its rules, select it. The group’s information is displayed in the lower pane.

Command Line Tools - 

 Enter the following command:

PROMPT>  ec2-describe-group [group ...]

Amazon EC2 returns output similar to the following example.

GROUP   sg-455b6c31     999988887777    WebServers   web

PERMISSION      999988887777    WebServers ALLOWS  tcp     80      80      FROM    CIDR    0.0.0.0/0       ingress

Tip: To filter the list to return only the security group with the open ports, use the `ip-permission.from-port` and the `ip-permission.to-port` filters.

How to add a rule to a security groups

AWS Management Console

To add a rule to a security group - 

1. Log in to the AWS Management Console and click the Amazon EC2 tab.
2. Click Security Groups in the Navigation pane. The console displays a list of security groups that belong to the account.
3. Select an EC2 security group. Its rules appear on the Inbound tab in the lower pane.
4. To add a rule:
   1. From the Create a new rule: In the drop down list, select the option that you want.
   2. Specify a port or port range. In this case, we suggest that you include all ports.
   3. In the Source field, specify one of the following:
• Name or ID of a security group (to allow access from that group) that you know is yours.
• Type an IP address or range of addresses to limit access to one computer or a network, for example 203.0.113.5/32.

5. Click Add Rule - An asterisk appears on the Inbound tab.

6. Click Apply Rule Changes -The new rule is created and applied to all instances that belong to the security group.

Keywords: ip ports, internal aws servers, amazon ec2 security groups.

Additional Relevant Resources

Using Security Groups on Amazon AWS

Understanding Amazon EC2 Security Groups and Firewalls

AWS Network Security

Check Dome9 to control and manage your ports on-demand

Recipe: Programmatically Creating and Updating AWS security groups