Back to All Checks
High EC2 Regional

Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389

CIS

Description

Checks whether security groups allow ingress from 0.0.0.0/0 to port 3389.

Remediation

To comply with this control, modify security groups to ensure they do not allow ingress from 0.0.0.0/0 to port 3389 (RDP).

Steps

  1. Sign in to the AWS Management Console and open the EC2 console at https://console.aws.amazon.com/ec2/.
  2. In the navigation pane, click on 'Security Groups'.
  3. Select the security group you want to modify.
  4. In the 'Inbound rules' tab, look for rules that allow RDP traffic (port 3389) from 0.0.0.0/0.
  5. If such a rule exists, click on 'Edit inbound rules' and either modify the source to a more restricted IP range or delete the rule.
  6. Click on 'Save rules' to apply the changes.
  7. Verify that the security group no longer allows ingress from 0.0.0.0/0 to port 3389.

Compliance

CIS
Start Your Free Security Check