We have noticed that at least one unnecessary port is open on your DB server, meaning that your DB server is potentially vulnerable. Typically this issue occurs when using the same security groups to secure DB and non-DB servers. We suggest setting security groups specifically for the DB server and limiting access to recommended DB-related ports only.

Identification

Our identification of the issue is based on the following data:

• One or more security groups were configured to allow access through your DB server IP ports.
• We have identified that your DB server is using the security group with the open IP ports.

Instructions

View security groups

 AWS Management Console

1. Log in to the AWS Management Console and click the Amazon EC2 tab.
2. Click Security Groups in the Navigation pane. The console displays a list of security groups that belong to the account.
3. To view more information about a security group, including its rules, select it. The group’s information is displayed in the lower pane.

Command Line Tools - 

 Enter the following command:

PROMPT>  ec2-describe-group [group ...]

Amazon EC2 returns output similar to the following example.

GROUP   sg-455b6c31     999988887777    WebServers   web

PERMISSION      999988887777    WebServers ALLOWS  tcp     80      80      FROM    CIDR    0.0.0.0/0       ingress

Tip: To filter the list to return only the security group with the open ports, use the ip-permission.from-port and the ip-permission.to-port filters.

How to add a rule to a security groups

AWS Management Console

To add a rule to a security group - 

1. Log in to the AWS Management Console and click the Amazon EC2 tab.
2. Click Security Groups in the Navigation pane. The console displays a list of security groups that belong to the account.
3. Select an EC2 security group. Its rules appear on the Inbound tab in the lower pane.
4. To add a rule:
   1. From the Create a new rule: drop-down list, select the option you want
   2. Specify a port or port range. In this case we suggest that you reduce the number of open ports to a minimum, limiting access from the outside world only to web-facing services (e.g. ports 80 for HTTP and 443 for HTTPS).
   3. In the Source field, specify one of the following:
• Name or ID of a security group (to allow access from that group). If the group isn’t in your AWS account, prefix the group name with the AWS account ID and a forward slash (e.g., 111122223333/OtherSecurityGroup).
• IP address range in CIDR notation (to allow access from that IP address range). For example, enter 0.0.0.0/0 to allow all IP addresses to access the specified port range. Enter an IP address or range of addresses to limit access to one computer or a network, for example 203.0.113.5/32.

5. Click Add Rule.

An asterisk appears on the Inbound tab.

6. Click Apply Rule Changes.

The new rule is created and applied to all instances that belong to the security group.

Keywords: aws security groups, aws rules, amazon ec2, unnecessary security groups ports on amazon

Additional Relevant Resources

Using Security Groups on Amazon AWS

Understanding Amazon EC2 Security Groups and Firewalls

Check Dome9 to control and manage your ports on-demand

Recipe: Programmatically Creating and Updating AWS security groups