CIS AWS 4.2 (Ensure no security groups allow unrestricted RDP) requires: Security groups should not allow RDP (port 3389) access from 0.0.0.0/0. This is a critical-severity control.

How does EchelonGraph detect CIS AWS 4.2 violations?

EchelonGraph automatically detects CIS AWS 4.2 violations using scanner rule AWS-NET-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS AWS 4.2?

List all security groups with RDP from 0.0.0.0/0. What remote access solution is in use? Are Windows instances monitored for brute-force attempts?

🟠CIS AWS 4.2Rule: AWS-NET-002critical

Ensure no security groups allow unrestricted RDP

Description

Security groups should not allow RDP (port 3389) access from 0.0.0.0/0.

⚠️ Risk Impact

RDP is one of the most targeted protocols. Open RDP enables BlueKeep, credential brute-forcing, and ransomware delivery.

🔍 How EchelonGraph Detects This

AWS-NET-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected AWS accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Remove public ingress rules for port 3389. Use VPN or AWS SSM Session Manager.

💀 Real-World Attack Scenario

The LockBit ransomware group scanned AWS IP ranges for open RDP ports and found a Windows Server with weak admin credentials. They deployed ransomware across the entire VPC within 90 minutes, encrypting 23 EC2 instances and 5 RDS snapshots, demanding $3.2M in Bitcoin.

💰 Cost of Non-Compliance

Verizon DBIR 2024: RDP is the #1 action variety in ransomware incidents. Average ransom demand: $1.54M. Recovery cost without paying: $4.54M including 23 days average downtime.

📋 Audit Questions

1.List all security groups with RDP from 0.0.0.0/0.
2.What remote access solution is in use?
3.Are Windows instances monitored for brute-force attempts?

🎯 MITRE ATT&CK Mapping

T1021.001 — Remote Desktop ProtocolT1486 — Data Encrypted for ImpactT1110 — Brute Force

⚡ Common Pitfalls

⛔Opening RDP for vendor access and forgetting to close it
⛔Not checking for RDP on non-standard ports
⛔Assuming private subnets don't need SG restrictions (compromised internal hosts can attack)

📈 Business Value

Eliminating public RDP access removes the #1 ransomware entry vector. Organizations that block RDP from the internet experience 85% fewer ransomware incidents.

⏱️ Effort Estimate

Manual

1-2 hours to audit and fix security groups

With EchelonGraph

EchelonGraph continuously monitors for RDP exposure

🔗 Cross-Framework References

SOC2-CC6.6ISO27001-A.13.1.3

Automate CIS AWS 4.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →