Severity: High
Description: This controls ensures that that no Network ACLs allow ingress from 0.0.0.0/0 to port 22. It is recommended that no NACL allows unrestricted ingress access to port 22. Public access to port 22, increases the resource attack surface and unnecessarily raises the risk of resource compromise.
Remediation Steps:
Perform following to modify the default security group for VPC:
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to VPC console.
In the left pane, click Network ACLs.
Select the network ACL to be updated.
Click the Inbound Rules tab.
Click Edit inbound rules.
For the rule which allows ingress from 0.0.0.0/0 to port 22 either update the Source field to a range other than 0.0.0.0/0 or Click Delete to remove the inbound rule.
Click Save.
Important:
Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #5.1 (check 1)
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison