Elastic Security Detection Rules

Insecure AWS EC2 VPC Security Group Ingress Rule Added

Last updated 23 days ago on 2025-07-10
Created a year ago on 2024-04-16

About

Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS EC2Use Case: Threat DetectionTactic: Defense EvasionLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Impair Defenses (T1562)(opens in a new tab or window)

False Positive Examples
Administrators may legitimately add security group rules to allow traffic from any IP address or from specific IP addresses to common remote access ports.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(opens in a new tab or window)

Query
event.dataset: "aws.cloudtrail"
    and event.provider: ec2.amazonaws.com
    and event.action: AuthorizeSecurityGroupIngress
    and event.outcome: success
    and aws.cloudtrail.flattened.request_parameters.ipPermissions.items.ipRanges.items.cidrIp: ("0.0.0.0/0" or "::/0")
    and aws.cloudtrail.flattened.request_parameters.ipPermissions.items.fromPort: (
        21 or 22 or 23 or 445 or 3389 or 5985 or 5986)

Install detection rules in Elastic Security

Detect Insecure AWS EC2 VPC Security Group Ingress Rule Added in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).