Can I use Service Control Policy in AWS to close public ports?

Question

What is the best way to close public Ports in AWS?

In Azure, we can use Deny's policy to restrict user to expose ports to the Internet.

Can I do the similar for the AWS Security group?

Answer 1

What is the best way to close public Ports in AWS?

To complement Chris' answer, you could setup an automation based on AWS Config. If you enable it, you can define a number of rules that can monitor your SGs. The rules can be custom or AWS managed. In fact AWS provides two managed rules that could be useful to you:

• restricted-common-ports
• vpc-sg-open-only-to-authorized-ports

The rules would continuously or periodically scan for SG changes and monitor their ports. If any SG is found non-complaint you could remediate the issue automatically using SSM Automation or AWS Lambda function.

You could also restrict permissions to modify SG to your users using IAM policy. One specific is:

• ec2:AuthorizeSecurityGroupIngress: Grants permission to add one or more inbound rules to a security group

But the issue is that you can't limit it to specific ports. So either your users have permissions to set ingress rules, or they don't.

Answer 2

To add to the existing information on here -> The Config response is great, and one we regularly use as well. One additional option is Lambda / CloudWatch. To compliment the above remedy, we also implement a Lambda (integrated with a CloudWatch rule), which immediately drops any application team's Security Group update that opens any port to "all" ranges (quad zero). There are few company use cases in which we would want quad zero allowed, and those few use cases must go through an approval process whereby, if approved, an admin allows the needed inbound quad zero request. We also have logging /alerts in place, and it has been an eye opener to see how many times the quad zero reject Lambda has come to our rescue.

Answer 3

Without an allow in a security group the default is that the port is going to be blocked, however security groups do not support an explicit deny only an allow.

If you want to explicitly deny you would need to create/modify the NACL being used by the subnet that the instances are residing in.

This will allow you to explicitly deny access from specific ports, however you should be aware that you will need to consider ephemeral ports when you make these changes as well as both inbound and outbound directions of traffic.