Skip to main content
All CollectionsMonitoringTests
Test 291: AWS Security Groups HTTP Access Restricted
Test 291: AWS Security Groups HTTP Access Restricted

Drata validates that AWS Security Groups restrict inbound HTTP access (Port 80) to specific IP or IP ranges only.

Updated over 3 months ago

ASSOCIATED DRATA CONTROL

This test is part of the Network Security Controls control (DCF-85) that network security controls are in place to limit inbound and outbound traffic to the environment to only what is necessary based on business justification. All other traffic is specifically denied.

WHAT TO DO IF A TEST FAILS

If Drata finds that one or more AWS Security Groups do not restrict HTTP access (Port 80) to specific IP or IP ranges only, the test will fail.

STEPS TO REMEDIATE

  1. Sign into AWS Management Console and navigate to the EC2 dashboard.

  2. Click on 'Security groups' under 'Network & Security'.

  3. Look for security groups failing this test or security groups that have inbound rules with 'FromPort' and 'ToPort' set to '80' and 'IpRanges.CidrIp' set to '0.0.0.0/0' or 'Ipv6Ranges.CidrIp' set to '://0'.

  4. Select a security group and click on the 'Edit inbound rules' button from the 'Inbound rules' tab.

  5. Restrict public access by locating the rule that allows inbound traffic on port '80' from '0.0.0.0/0' or '::/0' and either deleting the rule or modifying the source to restrict it to a specific IP address or range. To modify the rule, change the 'Source' from '0.0.0.0/0' or '::/0' to a more restrictive CIDR block, such as your organization's IP ranges.

  6. Save changes and repeat for each failing security group.

Did this answer your question?