Remote code execution (RCE) from open SSH to internet in AWS security group

Critical Risk infrastructure-security

What it is

Remote code execution (RCE) could let attackers brute-force or exploit SSH to gain server control, pivot within the VPC, and exfiltrate data.

Why it happens

Using 0.0.0.0/0 CIDR during initial development or testing and forgetting to restrict it before production deployment.

Root causes

Default Open Configuration

Using 0.0.0.0/0 CIDR during initial development or testing and forgetting to restrict it before production deployment.

Convenience Over Security

Opening SSH to the internet for easier access from multiple locations without implementing proper VPN or bastion solutions.

Lack of IP Allowlist Management

Not maintaining a list of trusted IP ranges for administrative access, leading to overly permissive rules.

Fixes

1

Restrict to Trusted CIDR Blocks

Replace 0.0.0.0/0 with specific IP ranges of your office network, VPN endpoints, or trusted locations.

2

Use AWS SSM Session Manager

Eliminate SSH security group rules entirely by using AWS Systems Manager Session Manager for secure shell access.

3

Implement Bastion Host Architecture

Create a hardened bastion host in a public subnet and only allow SSH from the bastion to internal instances.

Detect This Vulnerability in Your Code

Sourcery automatically identifies remote code execution (rce) from open ssh to internet in aws security group and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities