Workspaces - Default controller security group fails Critical Config Rules - AWS Foundational Security Best Practices v1.0.0 - EC2.19 & EC2.18

Question

When applying default settings using Simple AD, we have two alerts flagged:
- Critical - EC2.19 - Security groups should not allow unrestricted access to ports with high risk
- High - EC2.18 - Security groups should only allow unrestricted incoming traffic for authorized ports

**EC2.19 - Security groups should not allow unrestricted access to ports with high risk:**
- Even when using IP Access Controls Groups within the directory, I still have a critical failure in the security hub report.
- Cause: Ports 1024-65535, 135, 445 are open to all (0.0.0.0/0)
- Temporary resolution: Additional assign my IP to this security group
- But what should the CORRECT approach be? Surely this should align with the ip access control groups set at the directory level. Manually adding IPs into this security group, just to pass doesn't seem sustainable. Please advise!

**EC2.18 - Security groups should only allow unrestricted incoming traffic for authorized ports**
- I have no remediation for this.
- Cause: No udp ['138', '464', '389', '53', '123', '88'] port is authorized to be open, according to the authorizedTcpPorts parameter. No tcp ['464', '389', '88', '3268-3269', '636', '53'] port is authorized to be open, according to authorizedTcpPorts v [truncated]	 
- I don't know what I traffic I should be restricting access from. Please advise. By locking down these to my local IP, I cannot seem to access the workspace from the client.

Answer

Yup,

This always flags up this one.. This is because AWS creates these security groups automaticilly with Managed AD.
If creating this via Terraform, you can not manage the Security groups either..

Technically you may get away with replacing 0.0.0.0/0 with your VPC CIDR Range/Subnets that need access.. Your Local IP will not work here (If local IP is your remote Computer)

Heres why you could ignore them:-

*Creates an AWS security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers.*

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.html

You can add these to the config rule here as authorised ports https://docs.aws.amazon.com/config/latest/developerguide/vpc-sg-open-only-to-authorized-ports.html

No udp ['138', '464', '389', '53', '123', '88'] port is authorized to be open, according to the authorizedTcpPorts parameter
No tcp ['464', '389', '88', '3268-3269', '636', '53'] port is authorized to be open, according to authorizedTcpPorts v [truncated]

Workspaces - Default controller security group fails Critical Config Rules - AWS Foundational Security Best Practices v1.0.0 - EC2.19 & EC2.18

Relevant content