Fix: AWS Security Group Exposes SSH Port 22

Nov 18, 2025 by Alex Johnson 44 views

IAC Policy Violation: AWS Security Group allows all traffic on SSH port (22)

Is your AWS Security Group exposing your SSH port (22) to the world? That's a big no-no! This article breaks down an Infrastructure as Code (IAC) policy violation where an AWS Security Group is configured to allow unrestricted traffic on the standard SSH port (22). We'll cover what this means, why it's a security risk, and how to fix it using Terraform and CloudFormation.

Policy ID: CKV_AWS_24 Severity: INFO | Framework: terraform Violations: 1 across 1 files

New Violations (1)

INFO - AWS Security Group allows all traffic on SSH port (22)

File: /test-14-misconfigurations.tf:11-29 Framework: terraform

Security groups are stateful and provide filtering of ingress/egress network traffic to AWS resources. We recommend that security groups do not allow unrestricted ingress access to port 22. Removing unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk. Leaving port 22 open to the world is like leaving your front door unlocked – anyone can try to get in! Attackers constantly scan for open SSH ports to exploit vulnerabilities and gain unauthorized access to your systems. This violation highlights a critical security misconfiguration that needs immediate attention.

Why is this a big deal?

Brute-force attacks: Attackers can try to guess your SSH password.
Exploiting vulnerabilities: If your SSH server has any known vulnerabilities, attackers can exploit them.
Malware installation: Once inside, attackers can install malware, steal data, or use your server for malicious purposes.

The goal is to limit SSH access to only trusted sources. This significantly reduces the attack surface and makes it much harder for unauthorized individuals to gain access. Think of it as adding layers of security to protect your infrastructure.

////

How to Fix:

Here's how to fix this security hole in both Terraform and CloudFormation.

*Terraform*

*   *Resource:* aws_security_group

[source,go]
----
resource "aws_security_group" "example" {
...
ingress {
    cidr_blocks = [
-     "0.0.0.0/0"
+     "10.0.0.1/32"
    ]
    from_port = 22
    to_port = 22
    protocol = "tcp"
  }
}
----

The Terraform code snippet demonstrates how to restrict access to port 22 by changing the cidr_blocks attribute. The original configuration "0.0.0.0/0" allows access from any IP address, which is highly insecure. The corrected configuration "10.0.0.1/32" restricts access to a specific IP address (10.0.0.1). Replace this example IP with the actual IP address or CIDR block that should be allowed to access the SSH port. If you have multiple trusted sources, you can add multiple cidr_blocks entries.

*CloudFormation*

*   *Resource:* AWS::EC2::SecurityGroup
*   *Arguments:* Properties.SecurityGroupIngress

[source,yaml]
----
Type: AWS::EC2::SecurityGroup
    Properties:
      ...
      SecurityGroupIngress:
      - Description: SSH Ingress
        IpProtocol: tcp
        FromPort: 22
        ToPort: 22
-       CidrIp: "0.0.0.0/0"
+       CidrIp: "10.10.10.0/24"
----

Similarly, the CloudFormation snippet shows how to modify the CidrIp property within the SecurityGroupIngress section. The change from "0.0.0.0/0" to "10.10.10.0/24" restricts access to the SSH port to only the IP addresses within the 10.10.10.0/24 CIDR block. As with the Terraform example, replace this with the appropriate CIDR block that encompasses your trusted SSH clients. Remember to carefully plan your CIDR blocks to avoid accidentally blocking legitimate traffic.

All Violations in this Policy

Severity	File	Line Range	Framework
🔵 INFO	`/test-14-misconfigurations.tf`	11-29	terraform

Summary

Total Violations: 1
New Violations: 1
Resolved Violations: 0
Affected Files: 1

By Severity

INFO: 1 violations

By Framework

terraform: 1 violations

Remediation Guide

1. Immediate Action (High/Critical Severity)

Review and address violations based on your security policies and deployment timeline. Don't delay, fix it today! Prioritize addressing high and critical severity issues first, as they pose the greatest risk to your infrastructure. Make sure your team is aware of the security implications and understands the remediation steps.

2. Policy Understanding

This policy violation indicates: AWS Security Group allows all traffic on SSH port (22). Understanding the policy is the first step towards fixing it. This policy is in place to prevent unauthorized access to your systems via SSH. It's a fundamental security best practice to restrict SSH access to only trusted sources.

3. Fix Strategy

Review each affected file listed above. Pay close attention to the line numbers indicated.
Apply the recommended fixes for your IAC framework (Terraform or CloudFormation). Double-check your changes before applying them.
Test changes in a development environment. Never apply changes directly to production without thorough testing.
Scan again to verify fixes. Confirm that the violation is resolved after applying the changes.

Key Considerations:

Principle of Least Privilege: Only grant the minimum necessary access. Avoid broad CIDR blocks whenever possible.
Regular Audits: Regularly review your security group configurations to identify and address potential vulnerabilities.
Automation: Implement automated security checks in your CI/CD pipeline to prevent misconfigurations from reaching production.

By following these steps, you can effectively remediate this security violation and improve the overall security posture of your AWS infrastructure. Remember, security is an ongoing process, not a one-time fix.

This issue is automatically managed by Mend IAC scanning. It will be updated as violations are fixed or new ones are introduced.

For more information on AWS security best practices, visit the AWS Security Documentation.