All Collections
Control Tests
Test: Public SSH Denied
Test: Public SSH Denied

Drata inspects all virtual assets to determine if security groups allow SSH access to public (0.0.0.0/0)

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

ASSOCIATED DRATA CONTROL

This test is part of the Denial of Public SSH control that ensures no public SSH is allowed to virtualized assets.

WHAT TO DO IF A TEST FAILS

If Drata finds one or more security groups that allow public SSH access the test will fail. With a failed test you will receive a list of groups that allow public SSH access.

To remediate a failed test, you will need to adjust the security group configuration to disallow public SSH on the reported groups.

STEPS FOR PASSING

To ensure a validated state when testing for denial of public SSH, please follow the steps listed in the table below. Once the provider steps have been completed, navigate back to Drata and execute the test.

Provider / Technology

Provider Steps

AWS - Security Groups

  1. Within AWS, navigate to Security Groups

  2. Edit a Security Group

  3. Click on "Edit inbound rules"

  4. Verify that when the Type is 'SSH,' Source is NOT set to: ALL "0.0.0.0/0" or "::/0"

  5. Save if making any changes

  • Note that this test will only fail if violating security group rules are set up in a region with active network interfaces

  • Note that this test will pass if the "Source" value is another security group

  • Note that this test will not pass if the "Source" value is a specific CIDR range

GCP - VPC Network

Within GCP, you will need to verify that either no firewalls are set up or that there are not any configured firewall rules that allow public SSH access.

HELPFUL RESOURCES

Did this answer your question?