AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
Id | d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9 |
Rulename | AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports |
Description | This query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings. Publicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement. |
Severity | High |
Tactics | InitialAccess LateralMovement Discovery |
Techniques | T1133 T1021 T1046 |
Required data connectors | AWSSecurityHub |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml |
Version | 1.0.0 |
Arm template | d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9.json |
let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/EC2.19"
or tostring(ComplianceSecurityControlId) == "EC2.19"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsEc2SecurityGroup"
| extend SGDetails = Resource.Details.AwsEc2SecurityGroup
| extend IpPermissions = SGDetails.IpPermissions
| mv-expand Perm = IpPermissions
| where toint(Perm.FromPort) in (HighRiskPorts)
| mv-expand Range = Perm.IpRanges
| where tostring(Range.CidrIp) in ("0.0.0.0/0", "::/0")
| summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)
| extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, ", ")
entityMappings:
- fieldMappings:
- columnName: AwsAccountId
identifier: Name
- columnName: AwsAccountId
identifier: CloudAppAccountId
entityType: Account
- fieldMappings:
- columnName: SecurityGroupARN
identifier: Name
entityType: CloudApplication
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml
queryFrequency: 1h
status: Available
tags:
- AWS Foundational Security Best Practices v1.0.0
- NIST 800-53 r5
relevantTechniques:
- T1133
- T1021
- T1046
triggerOperator: gt
version: 1.0.0
kind: Scheduled
id: d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
alertDetailsOverride:
alertDisplayNameFormat: EC2 Security group {{SecurityGroupId}} allows unrestricted high-risk ports
alertDescriptionFormat: 'EC2 Security group {{SecurityGroupId}} allows unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports: {{OpenHighRiskPorts}}. Restrict or remove the offending rules.'
name: AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
description: |
This query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.
Publicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.
query: |
let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/EC2.19"
or tostring(ComplianceSecurityControlId) == "EC2.19"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsEc2SecurityGroup"
| extend SGDetails = Resource.Details.AwsEc2SecurityGroup
| extend IpPermissions = SGDetails.IpPermissions
| mv-expand Perm = IpPermissions
| where toint(Perm.FromPort) in (HighRiskPorts)
| mv-expand Range = Perm.IpRanges
| where tostring(Range.CidrIp) in ("0.0.0.0/0", "::/0")
| summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)
| extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, ", ")
tactics:
- InitialAccess
- LateralMovement
- Discovery
queryPeriod: 1h
customDetails:
ComplianceControlId: ComplianceSecurityControlId
FindingId: AwsSecurityFindingId
OpenHighRiskPorts: OpenHighRiskPorts
SecurityGroupId: SecurityGroupId
Region: AwsRegion
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "EC2 Security group {{SecurityGroupId}} allows unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports: {{OpenHighRiskPorts}}. Restrict or remove the offending rules.",
"alertDisplayNameFormat": "EC2 Security group {{SecurityGroupId}} allows unrestricted high-risk ports"
},
"alertRuleTemplateName": "d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9",
"customDetails": {
"ComplianceControlId": "ComplianceSecurityControlId",
"FindingId": "AwsSecurityFindingId",
"OpenHighRiskPorts": "OpenHighRiskPorts",
"Region": "AwsRegion",
"SecurityGroupId": "SecurityGroupId"
},
"description": "This query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.\nPublicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.\n",
"displayName": "AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AwsAccountId",
"identifier": "Name"
},
{
"columnName": "AwsAccountId",
"identifier": "CloudAppAccountId"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "SecurityGroupARN",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml",
"query": "let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);\nAWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/EC2.19\"\n or tostring(ComplianceSecurityControlId) == \"EC2.19\"\n| mv-expand Resource = Resources\n| where tostring(Resource.Type) == \"AwsEc2SecurityGroup\"\n| extend SGDetails = Resource.Details.AwsEc2SecurityGroup\n| extend IpPermissions = SGDetails.IpPermissions\n| mv-expand Perm = IpPermissions\n| where toint(Perm.FromPort) in (HighRiskPorts)\n| mv-expand Range = Perm.IpRanges\n| where tostring(Range.CidrIp) in (\"0.0.0.0/0\", \"::/0\")\n| summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))\n by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)\n| extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, \", \")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery",
"InitialAccess",
"LateralMovement"
],
"tags": [
"AWS Foundational Security Best Practices v1.0.0",
"NIST 800-53 r5"
],
"techniques": [
"T1021",
"T1046",
"T1133"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}