AWS

Subscribe
Download 365
Last updated Apr 30, 2025

AWS Security Group Open to the World

Detects when a user adds an ingress rule to an AWS security group that allows internet inbound access.

Query

AWS CloudTrail records the AuthorizeSecurityGroupIngress event when a security group ingress rule is added. The request parameters (req_params) have the following structure:

{
    "groupId": "sg-00112233445566778",
    "ipPermissions": {
        "items": [
            {
                "ipRanges": {
                    "items": [
                        {
                            "description": "",
                            "cidrIp": "0.0.0.0/0"
                        }
                    ]
                },
                "prefixListIds": {},
                "fromPort": 22,
                "toPort": 22,
                "groups": {},
                "ipProtocol": "tcp",
                "ipv6Ranges": {}
            }
        ]
    }
}

By using valueof() and the explode command, the cidrIp field is extracted from ipPermissions.items.ipRanges.items. If the value is 0.0.0.0/0 or ::/0, the query detects it.

| search event_name == "AuthorizeSecurityGroupIngress"
| eval group_id = valueof(req_params, "groupId"), items = valueof(valueof(req_params, "ipPermissions"), "items")
| explode items
| eval ip_ranges = valueof(valueof(items, "ipRanges"), "items"), from_port = valueof(items, "fromPort"), to_port = valueof(items, "toPort"), protocol = upper(valueof(items, "ipProtocol")) 
| explode ip_ranges 
| parsemap field=ip_ranges overlay=t 
| fields - items, ip_ranges  
| rename cidrIp as cidr 
| search in(cidr, "0.0.0.0/0", "::/0")

Message

  • AWS Security Group Open to the World: User $user, Security Group $group_id, Port $from_port-$to_port

Output Field Order

  • _log_time, event_id, src_ip, account_id, aws_region, user_type, user, event_name, group_id, cidr, mask, protocol, from_port, to_port, description, user_agent

Threat Analysis

  • Allowing 0.0.0.0/0 means the resource is accessible from every host on the internet. This exposes services such as SSH (22), RDP (3389), or databases (3306, 5432, etc.) directly to attackers.
  • Such services can be quickly identified by internet-wide scanners (e.g., Criminal IP, Shodan, Censys) and become targets for brute-force attacks, vulnerability scans, and remote code execution (RCE) attempts.
  • An attacker may deliberately modify security group rules to open a backdoor communication channel or establish Command & Control (C2) connectivity.

False Positive Types

  • Services that are legitimately exposed to the internet (e.g., web servers on ports 80/443).
  • Cases where security controls are enforced at another layer (e.g., VPN, firewall), while the security group is left loosely configured.

Response Actions

Immediate Actions

  • Remove unnecessary 0.0.0.0/0 rules from the security group immediately.
  • If necessary, restrict access to specific IP ranges (e.g., corporate network, VPN IPs).
  • In emergencies, use temporary Network ACLs (NACLs) or WAF to block risky ports.

Root Cause Analysis

  • Verify whether the change was made by an authorized administrator or by a compromised account.
  • Check whether the rule was automatically deployed via Infrastructure as Code (IaC) pipelines (Terraform, CloudFormation, etc.).

Post-Incident Actions

  • Apply the principle of least privilege: remove unnecessary accounts/roles with security group modification permissions.
  • Enforce AWS Config rules / GuardDuty integration (e.g., prohibit 0.0.0.0/0 inbound) for real-time detection and automated remediation.
  • Strengthen change approval processes: security group changes in production must go through security/operations team review.
  • Continuously monitor for external access attempts and check for intrusion evidence in network/endpoint logs during the period when the change was active.

MITRE ATT&CK