Why you DONT Need Port 22 Open in AWS

Block Port 22 to harden your security posture

Jun 09, 2022

Hello frens, celt here to talk about why we do not NEED port 22 open in our AWS environment. I would even recommend you do not have port 22 open, more to come.

Also if you do not follow me on Twitter, you should here

Required Reading:

Cloud Engineering with BowTiedCelt

3 Basic Controls to Improve your AWS Security Posture

Howdy anon, Celt here to talk about some foundational AWS security measures. Many people think these things are basic, yet every year we hear about hacks that occurred because of one of the following reasons. Consider these day 0 type security controls, these are basic. Regardless, security fundamentals are the most important, as…

3 years ago · 2 likes · BowTiedCelt

What is Port 22

Port 22 is a well-known port assigned for Secure Shell by IANA. So, port 22 is used for SSH universally. That is significant because hackers will often target port 22 with brute force attempts, or other methods with the goal of gaining SSH access to your node(s).

Basic Controls

Most companies will have strict firewall rules on port 22. One example would be that the request must come from the IP CIDR range for the company, or a specific subset of the CIDR.

For identity you could also restrict access based on netgroup membership, which is specific for linux machines.

However, in 2022 I am here to tell you, you do not need to even open port 22.

Preferred Controls

I would recommend using AWS Systems Manager - Session Manager and blocking off port 22 entirely. Blocking off port 22 completely removes that risk vector and hardens your security posture. Implementing a Deny in your Security Groups and NACLs would satisfy this control.

Session manager is a agent based connection that requires your instances to have the Systems Manager (SSM) agent installed and configured, however AWS has automation documents for you to do this easily.

Turbo Note: You can install the SSM agent on on-prem machines as well, unifying the control panel. SSM agent is open source and can be found here

Auditing and Logging

Auditing and logging are going to be very easy in this set up, and even preferred. With respect to audit, all of the session connections are logged via cloudtrail, and can store those logs in an S3 bucket. You can follow who is making the connections and when, and even set up rules with eventbridge to monitor connections to say production machines.

With respect to logging, all of the commands run during the session are logged and streamed/stored in CW Logs or S3. You can even go back later and query these logs with AWS Athena, this could be useful if you want to find what commands were run around the time of an outage.

Bringing it all together

We eliminate a risk vector by blocking off port 22, enforce connections be made through session manager which provides enhanced auditability and logging, ultimately resulting in a hardened security posture.

-Celt

Software Architecture with BowTiedCelt

Discussion about this post