One of the best things you can do to protect your AWS instances is to ensure your users NEVER use the default ‘launch-wizard’ Security Group that leverages “0.0.0.0/0” for your administrative access over ports 22 or 3389. Not using the AWS defualt Security Group is a ‘top recommended’ practice by pretty much every Cloud Security vendor our there. It makes sense . . this default setting by AWS opens your servers up to the whole entire world, CHINA, Russia, etc… And with all of the automated brute force scripts the bad guys are using, your instances don’t stand a chance.
AWS provides some way of mitigating this via AWS config and gives some examples. I found AWS config to be too restrictive with regards to custom Security Groups, meaning that with AWS config, you have your “compliant” Security Groups which default to a standard; and if Security Groups don’t match compliant groups, then ( …some action can be taken .e.g, notify via SNS or Lambda ). Although ideal in a perfect world, this scenario does not match every use case cleanly. There are also some other ways of dealing with this, closer to the source too that I will explore soon.
For now, for a “bolts and braces” approach, you may just want to not allow Security Groups which permit traffic to the entire world “0.0.0.0/0” over 3389 or 22. Just doing this one thing is HUGE!!! Until AWS gets rid of this as the DEFAULT option for ‘launch-wizard’, your users will launch instances with this group. So I have a script . . .
In this script, using boto 2.x library, can be run on an EC2 instance, which will list and remediate the 0.0.0.0/0 groups and replace the quad zero with an IP of your choice! Lambda no longer supports the older boto libraries, so this particular script can be run as a cron on AWS Linux, launched with an IAM role like the following:
One of my peer developers re-wrote my script using BOTO3, so it would work with Lambda, but …. that script is not mine and I do not have permission to share it here. Having said that, I do plan to follow up and write a new one not based on his code. Even if my script does not work for your use case, the point here is . . . CLOSE your admin ports 22 and 3389 to “0.0.0.0/0”