Drata validates that no security groups in the cloud infrastructure have inbound rules that allow access to RDP port (3389) with a source of 0.0.0.0/0
or ::/0
.
Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17) or ALL (-1) protocols.
Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.
ASSOCIATED DRATA CONTROL
This test is part of the Access to Remote Server Administration Ports Restricted control (DCF-73) that network security controls are in place to restrict public access to remote server administration ports (e.g., SSH, RDP) to authorized IP addresses or address ranges only.
WHAT TO DO IF A TEST FAILS
If Drata finds that one or more of your security groups allow public RDP access, the test will fail.
STEPS TO REMEDIATE
From the AWS Management Console, select 'VPCs' and, under 'Security Groups', perform the following steps for each failing security group:
Select the security group.
Click the 'Inbound Rules' tab.
Click the 'Edit inbound rules' button.
Either update the 'Source' field to a range other than
0.0.0.0/0
or::/0
, or click 'Delete' to remove the rule.
Center for Internet Security (CIS)
This test aligns with the Center for Internet Security’s (CIS) foundation benchmarks which provides prescriptive guidance for establishing a secure baseline configuration for Amazon Web Services. To learn more, refer to the Center for Internet Security (CIS) section.