What is the most efficient way to remediate the risk of this activity?
Delete the internet gateway associated with the VPC.
Use network access control lists to block source IP addresses matching 0.0.0.0/0.
Use a host-based firewall to prevent access from all but the organization’s firewall IP.
Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization’s firewall IP.
Explanations:
Deleting the internet gateway would prevent any internet access to the VPC, which is overly drastic and would disrupt all legitimate traffic, not just SSH and RDP access. This does not address the specific security concern regarding overly permissive security group rules.
While network access control lists (NACLs) can block traffic from 0.0.0.0/0, they are stateless and would require additional configuration to allow legitimate traffic from the organization’s firewall IP. This approach does not directly remediate the existing security group rules, which is the main concern.
A host-based firewall can limit access at the instance level, but it does not prevent the risk at the security group level. If security groups are already misconfigured, using a host-based firewall alone does not prevent potentially malicious access or ease management of firewall rules across multiple instances.
Implementing AWS Config rules allows for continuous monitoring of security groups. By detecting configurations allowing 0.0.0.0/0 and triggering a Lambda function to update the security group with the correct IP, this approach efficiently automates remediation and ensures compliance with security policies, effectively addressing the risk without manual intervention.
I have a feeling that the answer is:
Use AWS Config rules to detect 0.0.0.0/0 and invoke an AWS Lambda function to update the security group with the organization’s firewall IP.