Ensure No EC2 Instances Allow Ingress from the Internet to Kerberos Ports

Overview

This check identifies EC2 security groups that allow public inbound access to Kerberos authentication ports (TCP 88, 464, 749, and 750). These ports should never be accessible from the internet (0.0.0.0/0 or ::/0).

Kerberos is a network authentication protocol used in environments like Active Directory. Exposing these ports to the public internet creates serious security vulnerabilities.

Risk

If Kerberos ports are exposed to the internet, attackers can:

• Steal credentials through password spraying and AS-REP roasting attacks
• Change passwords by exploiting port 464 (Kerberos password change service)
• Enumerate users and realms to map your directory structure
• Launch denial-of-service attacks against your Key Distribution Center (KDC)
• Move laterally through your network using stolen Kerberos tickets

Severity: Critical - This exposure can lead to full compromise of your authentication infrastructure.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups in your AWS account. This typically requires the ec2:RevokeSecurityGroupIngress and ec2:DescribeSecurityGroups permissions.

AWS Console Method

1. Sign in to the AWS Console and navigate to EC2
2. In the left sidebar, click Security Groups under "Network & Security"
3. Find the security group flagged by Prowler (check the Prowler output for the security group ID)
4. Select the security group and click the Inbound rules tab
5. Look for rules that allow traffic on ports 88, 464, 749, or 750 from source 0.0.0.0/0 or ::/0
6. For each problematic rule:
   • Click Edit inbound rules
   • Either delete the rule entirely, or change the source to your internal network CIDR (e.g., 10.0.0.0/8)
   • Click Save rules
7. Repeat for any other affected security groups

Important: Before removing rules, verify that legitimate Kerberos clients can still reach the service through your internal network or VPN.

AWS CLI (optional)

Find Security Groups with Exposed Kerberos Ports

First, identify security groups allowing public access to Kerberos ports:

# Find security groups with Kerberos ports open to 0.0.0.0/0
aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=88" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query 'SecurityGroups[*].[GroupId,GroupName]' \
  --output table

Repeat the command for ports 464, 749, and 750 by changing the from-port value.

Remove the Problematic Rules

Once you identify the security group, remove the offending inbound rules:

# Remove rule allowing port 88 from internet (IPv4)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <your-security-group-id> \
  --protocol tcp \
  --port 88 \
  --cidr 0.0.0.0/0

# Remove rule allowing port 464 from internet (IPv4)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <your-security-group-id> \
  --protocol tcp \
  --port 464 \
  --cidr 0.0.0.0/0

# Remove rule allowing port 749 from internet (IPv4)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <your-security-group-id> \
  --protocol tcp \
  --port 749 \
  --cidr 0.0.0.0/0

# Remove rule allowing port 750 from internet (IPv4)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <your-security-group-id> \
  --protocol tcp \
  --port 750 \
  --cidr 0.0.0.0/0

If IPv6 rules exist (::/0), remove those as well:

# Remove rule allowing port 88 from internet (IPv6)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <your-security-group-id> \
  --ip-permissions IpProtocol=tcp,FromPort=88,ToPort=88,Ipv6Ranges='[{CidrIpv6=::/0}]'

Add Restricted Access (if needed)

If Kerberos access is still required, add a rule limited to your internal network:

# Allow port 88 from internal network only
aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <your-security-group-id> \
  --protocol tcp \
  --port 88 \
  --cidr 10.0.0.0/8

# Repeat for other Kerberos ports as needed (464, 749, 750)

Replace 10.0.0.0/8 with your actual internal network CIDR block.

CloudFormation (optional)

Use this CloudFormation template to create a properly secured security group that only allows Kerberos access from trusted internal networks:

AWSTemplateFormatVersion: '2010-09-09'
Description: Secure security group that blocks Kerberos ports from internet access

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the security group will be created

  TrustedCidr:
    Type: String
    Description: Trusted CIDR block for Kerberos access (internal network only)
    Default: '10.0.0.0/8'
    AllowedPattern: ^(\d{1,3}\.){3}\d{1,3}/\d{1,2}$

Resources:
  SecureKerberosSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with Kerberos access restricted to internal network
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        # Kerberos KDC - Port 88
        - IpProtocol: tcp
          FromPort: 88
          ToPort: 88
          CidrIp: !Ref TrustedCidr
          Description: Kerberos KDC from trusted internal network only
        # Kerberos Password Change - Port 464
        - IpProtocol: tcp
          FromPort: 464
          ToPort: 464
          CidrIp: !Ref TrustedCidr
          Description: Kerberos password change from trusted internal network only
        # Kerberos Admin - Port 749
        - IpProtocol: tcp
          FromPort: 749
          ToPort: 749
          CidrIp: !Ref TrustedCidr
          Description: Kerberos admin from trusted internal network only
        # Kerberos - Port 750
        - IpProtocol: tcp
          FromPort: 750
          ToPort: 750
          CidrIp: !Ref TrustedCidr
          Description: Kerberos from trusted internal network only
      Tags:
        - Key: Name
          Value: secure-kerberos-sg

Outputs:
  SecurityGroupId:
    Description: ID of the secure Kerberos security group
    Value: !Ref SecureKerberosSecurityGroup
    Export:
      Name: !Sub '${AWS::StackName}-SecurityGroupId'

Deploy the stack:

aws cloudformation deploy \
  --region us-east-1 \
  --stack-name secure-kerberos-sg \
  --template-file template.yaml \
  --parameter-overrides VpcId=<your-vpc-id> TrustedCidr=10.0.0.0/8

Terraform (optional)

Use this Terraform configuration to create a properly secured security group:

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr" {
  description = "Trusted CIDR block for Kerberos access (internal network only)"
  type        = string
  default     = "10.0.0.0/8"

  validation {
    condition     = can(cidrhost(var.trusted_cidr, 0)) && !contains(["0.0.0.0/0"], var.trusted_cidr)
    error_message = "trusted_cidr must be a valid CIDR block and cannot be 0.0.0.0/0 (public internet)."
  }
}

resource "aws_security_group" "kerberos_secure" {
  name        = "secure-kerberos-sg"
  description = "Security group with Kerberos access restricted to internal network"
  vpc_id      = var.vpc_id

  # Kerberos KDC - Port 88
  ingress {
    description = "Kerberos KDC from trusted internal network only"
    from_port   = 88
    to_port     = 88
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
  }

  # Kerberos Password Change - Port 464
  ingress {
    description = "Kerberos password change from trusted internal network only"
    from_port   = 464
    to_port     = 464
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
  }

  # Kerberos Admin - Port 749
  ingress {
    description = "Kerberos admin from trusted internal network only"
    from_port   = 749
    to_port     = 749
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
  }

  # Kerberos - Port 750
  ingress {
    description = "Kerberos from trusted internal network only"
    from_port   = 750
    to_port     = 750
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
  }

  egress {
    description = "Allow all outbound traffic"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "secure-kerberos-sg"
  }
}

output "security_group_id" {
  description = "ID of the secure Kerberos security group"
  value       = aws_security_group.kerberos_secure.id
}

Apply the configuration:

terraform init
terraform apply -var="vpc_id=<your-vpc-id>" -var="trusted_cidr=10.0.0.0/8"

Verification

After making changes, verify the remediation was successful:

1. In the AWS Console, go to EC2 > Security Groups
2. Select the modified security group
3. Check the Inbound rules tab
4. Confirm that ports 88, 464, 749, and 750 no longer have 0.0.0.0/0 or ::/0 as a source

CLI verification commands

# Verify no public access to Kerberos ports remains
aws ec2 describe-security-groups \
  --region us-east-1 \
  --group-ids <your-security-group-id> \
  --query 'SecurityGroups[*].IpPermissions[?FromPort==`88` || FromPort==`464` || FromPort==`749` || FromPort==`750`]' \
  --output json

The output should show only internal CIDR blocks (like 10.0.0.0/8), not 0.0.0.0/0 or ::/0.

You can also re-run the Prowler check to confirm:

prowler aws --checks ec2_instance_port_kerberos_exposed_to_internet --region us-east-1

Additional Resources

• AWS Security Groups Documentation
• AWS Security Best Practices - Network Security
• Prowler Check Documentation
• MIT Kerberos Documentation

Notes

• Service disruption: Removing security group rules takes effect immediately. Ensure legitimate Kerberos clients can access the service through other means (VPN, internal network) before making changes.
• Defense in depth: Beyond security groups, consider placing Kerberos/KDC services in private subnets without public IP addresses and using Network ACLs as an additional layer.
• Multiple security groups: An EC2 instance may have multiple security groups attached. Check all of them for problematic rules.
• Compliance frameworks: This check aligns with C5, ISO27001, KISA-ISMS-P, NIS2, and SOC2 requirements for network security controls.