Skip to main content
emnode / learn
Compliance High severity

AWS Security Hub · EC2

EC2.14: RDP (port 3389) is open to the entire internet

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub EC2.14 check?

EC2.14 fails security groups that allow inbound RDP (TCP port 3389) from 0.0.0.0/0 or ::/0 — Remote Desktop open to the whole internet.

Why does EC2.14 matter?

Internet-exposed RDP is a leading initial-access vector for ransomware crews. It is relentlessly scanned and brute-forced, and a single foothold on a Windows host often leads to lateral movement across the domain. RDP should be reachable only over a private path.

How do I fix EC2.14?

  1. Remove the 0.0.0.0/0 rule on 3389; restrict to known admin CIDRs or drop it entirely.
  2. Use SSM Session Manager (it supports port forwarding for RDP) so the port is never internet-facing.
  3. Place Windows hosts in private subnets behind a bastion or VPN.

Remediation script · bash

# Revoke an over-open admin rule, covering both IPv4 and IPv6 in one call.
aws ec2 revoke-security-group-ingress --group-id sg-0a1b2c3d \
  --ip-permissions 'IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges=[{CidrIp=0.0.0.0/0}],Ipv6Ranges=[{CidrIpv6=::/0}]'

# Where access is genuinely needed, re-add it scoped to a source security group, not a CIDR.
aws ec2 authorize-security-group-ingress --group-id sg-0a1b2c3d \
  --ip-permissions 'IpProtocol=tcp,FromPort=6379,ToPort=6379,UserIdGroupPairs=[{GroupId=sg-0app1234,Description=app-tier}]'

# Strip a default security group to empty by feeding its current rules back into revoke.
INGRESS=$(aws ec2 describe-security-groups --group-ids sg-0default01 \
  --query 'SecurityGroups[0].IpPermissions')
[ "$INGRESS" != "[]" ] && aws ec2 revoke-security-group-ingress \
  --group-id sg-0default01 --ip-permissions "$INGRESS"

Full walkthrough (console steps, edge cases and verification) in the lesson Harden security groups and restrict ingress.

Full lesson Harden security groups and restrict ingress Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for EC2 controls ↗ Check your own account for EC2.14 →
Part of the learning path Lock down access

More EC2 controls

  • EC2.1 An EBS snapshot is publicly restorable by any account
  • EC2.2 Default security groups still allow traffic
  • EC2.3 Attached EBS volumes are not encrypted at rest
  • EC2.4 Long-stopped instances are abandoned attack surface
  • EC2.6 No VPC flow logs, so there is no network audit trail
  • EC2.7 New EBS volumes are not encrypted by default
  • EC2.8 IMDSv1 lets an SSRF steal instance credentials
  • EC2.9 Instances are directly reachable on public IPv4
  • EC2.10 EC2 API traffic leaves the VPC over the internet
  • EC2.13 SSH (port 22) is open to the entire internet
  • EC2.15 Subnets auto-assign public IPs to new instances
  • EC2.17 Instances with multiple ENIs can bridge network boundaries