AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Fix: Security Groups Open to 0.0.0.0/0 on SSH/RDP

2026-06-23 2 min read

A security group that allows 0.0.0.0/0 to reach SSH (22) or RDP (3389) is top of the attack-surface stack — internet-reachable administrative access is exactly what gets brute-forced. It maps to CIS 5.2/5.3 and Security Hub [EC2.13] (SSH) and [EC2.14] (RDP), with [EC2.53]/[EC2.54] covering other common ports.

Practitioner guidance, not legal or audit advice.

Find them all

aws ec2 describe-security-groups \
  --filters Name=ip-permission.cidr,Values=0.0.0.0/0 \
            Name=ip-permission.from-port,Values=22 \
  --query "SecurityGroups[].{Name:GroupName,Id:GroupId}"

Repeat for port 3389. Don't trust "we'd never do that" — these accumulate from quick fixes that never got reverted.

Close them — the right way

Revoking the rule is the immediate fix:

aws ec2 revoke-security-group-ingress \
  --group-id <sg-id> --protocol tcp --port 22 --cidr 0.0.0.0/0

But the better fix removes the need for open admin ports entirely:

  • Use AWS Systems Manager Session Manager for shell access — no inbound port, no bastion, fully logged. This is the single best upgrade here.
  • If you need network access, restrict the CIDR to your corporate range or a VPN, never 0.0.0.0/0.
  • For RDP, the same: Session Manager / Fleet Manager or a tightly scoped CIDR.

Session Manager is the move that makes this finding structurally impossible to recur — there's no open port to misconfigure.

Keep it fixed

The Config rules restricted-ssh, restricted-common-ports, and vpc-sg-open-only-to-authorized-ports catch regressions. An SCP can deny creating the offending rule in the first place. Consider auto-remediation to revoke any newly-opened admin port automatically — this is one of the safest fixes to automate.

Why it matters for CPS 234

This is the highest-risk "implementation of controls" failure because it's directly exploitable from the internet. In ThreatScore terms it's pure Attack Surface — fix it before anything else, regardless of how the rest of your posture looks. It's CPS 234 Para 21 network controls, and the Config snapshot is your evidence.

Primary sources: AWS Systems Manager Session Manager · Security Hub FSBP standard

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts