SSH open to the internet #248
Description
Several hosts expose SSH access to the internet.
Several hosts expose SSH to the internet on TCP port 22.
oonibackend_proxy instances are associated with the nginx_sg which permits SSH access from 0.0.0.0/0.
container_host instances are associated with the container_host security group which allows SSH access
from admin_cidr_ingress. The default value for this module level variable is 0.0.0.0/0 and it is not set in either
environment.
codesign_box instances are associated with the hsm security group which permits SSH access from 0.0.0.0/0.
app instances are associated with the instance security group which allows SSH from admin_cidr_ingress. The
default for this module level variable is 0.0.0.0/0 and it is not set in either environment.
clickhouse_server_prod_ter1 is associated with clickhouse_sg which allows SSH from
admin_cidr_ingress. This has no default and clickhouse is not included in either environment.
The pentest recommended we do:
Access these hosts via a Jumpbox/Bastion hosts to limit exposure. AWS SSM may be an option if a vendor-specific
solution is acceptable. These hosts do not appear to need public IP addresses, so the security groups can restrict SSH
access to the jumphost.