Ensure No EC2 Instances Allow Ingress from the Internet to TCP Port 139 or 445 (CIFS)

Overview

This check identifies EC2 instances with security groups that allow inbound traffic on TCP ports 139 or 445 (CIFS/SMB) from anywhere on the internet (0.0.0.0/0 or ::/0). CIFS (Common Internet File System) and SMB (Server Message Block) are file-sharing protocols used to access files and printers on remote systems.

Exposing these ports to the internet is a critical security risk and should never be done in production environments.

Risk

When CIFS/SMB ports are exposed to the internet, attackers can:

• Gain unauthorized access to shared files and folders
• Execute remote code on vulnerable systems
• Steal credentials through NTLM relay attacks
• Deploy ransomware by accessing and encrypting your files
• Enumerate network shares to discover sensitive data

High-profile attacks like WannaCry and NotPetya exploited SMB vulnerabilities to spread rapidly across networks.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups in your AWS account. Specifically, you need the ec2:RevokeSecurityGroupIngress and ec2:DescribeSecurityGroups permissions.

AWS Console Method

1. Open the EC2 Console
2. In the left navigation, click Security Groups (under Network & Security)
3. Find and select the security group flagged by Prowler
4. Click the Inbound rules tab at the bottom of the page
5. Click Edit inbound rules
6. Find rules that allow traffic on port 139 or 445 from 0.0.0.0/0 or ::/0
7. Either:
   • Delete the rule by clicking the X button (if CIFS is not needed)
   • Restrict the source to a trusted internal CIDR (e.g., 10.0.0.0/8) if file sharing is required internally
8. Click Save rules

AWS CLI (optional)

First, identify the security group allowing CIFS from the internet:

aws ec2 describe-security-groups \
  --region us-east-1 \
  --query "SecurityGroups[?IpPermissions[?((FromPort<=\`139\` && ToPort>=\`139\`) || (FromPort<=\`445\` && ToPort>=\`445\`)) && (IpRanges[?CidrIp=='0.0.0.0/0'] || Ipv6Ranges[?CidrIpv6=='::/0'])]].{GroupId:GroupId,GroupName:GroupName}" \
  --output table

Revoke the rule allowing port 139 from the internet:

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <security-group-id> \
  --protocol tcp \
  --port 139 \
  --cidr 0.0.0.0/0

Revoke the rule allowing port 445 from the internet:

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <security-group-id> \
  --protocol tcp \
  --port 445 \
  --cidr 0.0.0.0/0

If the rule also allows IPv6 access (::/0), revoke that as well:

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <security-group-id> \
  --ip-permissions IpProtocol=tcp,FromPort=139,ToPort=139,Ipv6Ranges='[{CidrIpv6=::/0}]'

aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <security-group-id> \
  --ip-permissions IpProtocol=tcp,FromPort=445,ToPort=445,Ipv6Ranges='[{CidrIpv6=::/0}]'

CloudFormation (optional)

Use this template to create a security group that restricts CIFS access to internal networks only:

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group with CIFS access restricted to internal networks only

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: The VPC ID where the security group will be created
  TrustedCidr:
    Type: String
    Default: 10.0.0.0/8
    Description: Trusted CIDR block for CIFS access (internal network only)

Resources:
  RestrictedCifsSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with CIFS restricted to internal networks
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 139
          ToPort: 139
          CidrIp: !Ref TrustedCidr
          Description: NetBIOS Session Service - internal only
        - IpProtocol: tcp
          FromPort: 445
          ToPort: 445
          CidrIp: !Ref TrustedCidr
          Description: SMB over TCP - internal only
      Tags:
        - Key: Name
          Value: restricted-cifs-sg

Outputs:
  SecurityGroupId:
    Description: ID of the security group with restricted CIFS access
    Value: !Ref RestrictedCifsSecurityGroup

Deploy the stack:

aws cloudformation create-stack \
  --region us-east-1 \
  --stack-name restricted-cifs-sg \
  --template-body file://template.yaml \
  --parameters ParameterKey=VpcId,ParameterValue=<your-vpc-id> \
               ParameterKey=TrustedCidr,ParameterValue=10.0.0.0/8

Terraform (optional)

variable "vpc_id" {
  description = "The VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr" {
  description = "Trusted CIDR block for CIFS access (internal network only)"
  type        = string
  default     = "10.0.0.0/8"
}

resource "aws_security_group" "restricted_cifs" {
  name        = "restricted-cifs-sg"
  description = "Security group with CIFS restricted to internal networks"
  vpc_id      = var.vpc_id

  # NetBIOS Session Service - internal only
  ingress {
    from_port   = 139
    to_port     = 139
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
    description = "NetBIOS Session Service - internal only"
  }

  # SMB over TCP - internal only
  ingress {
    from_port   = 445
    to_port     = 445
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
    description = "SMB over TCP - internal only"
  }

  tags = {
    Name = "restricted-cifs-sg"
  }
}

output "security_group_id" {
  description = "ID of the security group with restricted CIFS access"
  value       = aws_security_group.restricted_cifs.id
}

Apply the configuration:

terraform init
terraform plan -var="vpc_id=<your-vpc-id>"
terraform apply -var="vpc_id=<your-vpc-id>"

Verification

After making changes, verify that CIFS ports are no longer exposed to the internet:

1. Return to the Security Groups page in the EC2 Console
2. Select the modified security group
3. Check the Inbound rules tab
4. Confirm there are no rules allowing ports 139 or 445 from 0.0.0.0/0 or ::/0

CLI verification

aws ec2 describe-security-groups \
  --region us-east-1 \
  --group-ids <security-group-id> \
  --query "SecurityGroups[].IpPermissions[?FromPort==\`139\` || FromPort==\`445\`]" \
  --output json

The output should show no rules with 0.0.0.0/0 or ::/0 in the IpRanges or Ipv6Ranges fields.

Re-run Prowler to confirm the finding is resolved:

prowler aws --check ec2_instance_port_cifs_exposed_to_internet --region us-east-1

Additional Resources

• AWS Security Groups Documentation
• AWS Best Practices for Security Groups
• CISA Alert on SMB Vulnerabilities
• Prowler Documentation

Notes

• Do not expose CIFS/SMB to the internet under any circumstances. If you need remote file access, use a VPN, AWS PrivateLink, or AWS Transfer Family with SFTP instead.
• If your workloads require CIFS internally, restrict access to specific trusted CIDR blocks (e.g., 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16).
• Consider using AWS FSx for Windows File Server or Amazon EFS as managed alternatives to self-hosted file shares.
• Enable SMB signing and use SMBv3 with encryption when CIFS is required for internal use.
• This check evaluates whether instances are truly internet-reachable by considering public IP addresses and subnet routing, not just security group rules.