CIS AWS 4.1 (Ensure no security groups allow unrestricted SSH) requires: Security groups should not allow SSH (port 22) access from 0.0.0.0/0. This is a critical-severity control.

How does EchelonGraph detect CIS AWS 4.1 violations?

EchelonGraph automatically detects CIS AWS 4.1 violations using scanner rule AWS-NET-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 4.1?

List all security groups with SSH open to 0.0.0.0/0. Do you use AWS SSM Session Manager instead of SSH? How are security group changes monitored?

🟠CIS AWS 4.1Rule: AWS-NET-001critical

Ensure no security groups allow unrestricted SSH

Description

Security groups should not allow SSH (port 22) access from 0.0.0.0/0.

⚠️ Risk Impact

Open SSH access from the internet enables brute-force attacks and exploitation of SSH vulnerabilities.

🔍 How EchelonGraph Detects This

AWS-NET-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=22 Name=ip-permission.cidr,Values='0.0.0.0/0'

🔧 Remediation

Restrict SSH access to specific CIDR blocks. Use AWS Systems Manager Session Manager for administrative access.

💀 Real-World Attack Scenario

A development team created a security group with SSH open to 0.0.0.0/0 for remote debugging. Automated scanners discovered the instance within 6 minutes. Using a known SSH vulnerability, the attacker gained access and installed a reverse shell, then used the instance as a pivot point to access internal RDS databases.

💰 Cost of Non-Compliance

CISA reports SSH brute-force is involved in 34% of initial access incidents. Average breach cost from exposed SSH: $3.1M. Insurance claims for SSH-related incidents increased 280% in 2023.

📋 Audit Questions

1.List all security groups with SSH open to 0.0.0.0/0.
2.Do you use AWS SSM Session Manager instead of SSH?
3.How are security group changes monitored?

🎯 MITRE ATT&CK Mapping

T1110 — Brute ForceT1021.004 — SSHT1133 — External Remote Services

🏗️ Infrastructure as Code Fix

main.tf

# Use SSM Session Manager instead of SSH:
resource "aws_iam_role_policy_attachment" "ssm" {
  role       = aws_iam_role.ec2.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

⚡ Common Pitfalls

⛔Temporary SSH rules that become permanent
⛔Using /16 CIDR blocks instead of specific IPs
⛔Not checking IPv6 rules (::/0) alongside IPv4

📈 Business Value

SSM Session Manager eliminates SSH key management entirely while providing IAM-based access control and full audit logging. Zero open ports = zero attack surface.

⏱️ Effort Estimate

Manual

2-4 hours to audit and remediate security groups

With EchelonGraph

EchelonGraph detects open SSH security groups in real-time

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3PCI-1.3.1

Automate CIS AWS 4.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →