Skip to main content

Ensure No EC2 Instances Allow Ingress from the Internet to Oracle Ports

Overview

This check identifies EC2 instances with security groups that allow inbound traffic from the internet (0.0.0.0/0 or ::/0) to Oracle database ports:

  • Port 1521 - Oracle Listener (default)
  • Port 2483 - Oracle Listener (alternative)
  • Port 2484 - Oracle Listener over TLS

Oracle databases are high-value targets for attackers because they often contain sensitive business data. Exposing these ports to the entire internet significantly increases your attack surface.

Risk

If Oracle ports are exposed to the internet, attackers can:

  • Scan and discover your database servers using automated tools
  • Brute-force credentials to gain unauthorized access
  • Exploit TNS vulnerabilities (Transparent Network Substrate protocol attacks)
  • Exfiltrate sensitive data once they gain access
  • Modify or delete data, causing business disruption
  • Launch denial-of-service attacks against your database

Severity: Critical - Database breaches can result in significant financial and reputational damage.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups. Typically this means having the ec2:RevokeSecurityGroupIngress and ec2:AuthorizeSecurityGroupIngress permissions.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSecurityGroupRules",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupIngress"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

  1. Sign in to the AWS Console and go to EC2
  2. In the left sidebar, click Security Groups (under Network & Security)
  3. Find the security group attached to your Oracle database instance
  4. Select the security group and click the Inbound rules tab
  5. Click Edit inbound rules
  6. Delete any rules that:
    • Have Source set to 0.0.0.0/0 or ::/0
    • Allow access to ports 1521, 2483, or 2484
  7. Add replacement rules that allow access only from trusted sources:
    • Click Add rule
    • Set Type to "Custom TCP"
    • Set Port range to 1521 (or 2483-2484 for TLS)
    • Set Source to your trusted IP range (e.g., 10.0.0.0/16 for your VPC)
    • Add a Description like "Oracle access from internal network"
  8. Click Save rules

Important: Before removing rules, confirm which applications need Oracle access and ensure you add appropriate replacement rules with restricted source IPs.

AWS CLI (optional)

Find security groups with exposed Oracle ports

aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=1521" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].[GroupId,GroupName]" \
  --output table

Remove the insecure rule

Replace <SECURITY_GROUP_ID> with your actual security group ID:

# Remove rule allowing 0.0.0.0/0 to port 1521
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 1521 \
  --cidr 0.0.0.0/0

# Remove rule allowing 0.0.0.0/0 to port 2483
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 2483 \
  --cidr 0.0.0.0/0

# Remove rule allowing 0.0.0.0/0 to port 2484
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 2484 \
  --cidr 0.0.0.0/0

Add a secure replacement rule

Replace <TRUSTED_CIDR> with your internal network range:

# Allow Oracle access only from trusted network
aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 1521 \
  --cidr <TRUSTED_CIDR>

Remove IPv6 rules if present

# Remove IPv6 rule for port 1521
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --ip-permissions IpProtocol=tcp,FromPort=1521,ToPort=1521,Ipv6Ranges='[{CidrIpv6=::/0}]'
CloudFormation (optional)

This CloudFormation template creates a security group with Oracle ports restricted to a trusted CIDR block:

AWSTemplateFormatVersion: '2010-09-09'
Description: Secure Security Group - No Oracle ports exposed to internet

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the security group will be created
  TrustedCidr:
    Type: String
    Description: Trusted CIDR block for Oracle access (e.g., 10.0.0.0/16)
    AllowedPattern: ^(\d{1,3}\.){3}\d{1,3}/\d{1,2}$

Resources:
  SecureOracleSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for Oracle database with restricted access
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 1521
          ToPort: 1521
          CidrIp: !Ref TrustedCidr
          Description: Oracle listener from trusted network only
        - IpProtocol: tcp
          FromPort: 2483
          ToPort: 2484
          CidrIp: !Ref TrustedCidr
          Description: Oracle TLS ports from trusted network only
      Tags:
        - Key: Name
          Value: secure-oracle-sg

Outputs:
  SecurityGroupId:
    Description: ID of the secure Oracle security group
    Value: !Ref SecureOracleSecurityGroup

Deploy with:

aws cloudformation deploy \
  --region us-east-1 \
  --template-file template.yaml \
  --stack-name secure-oracle-sg \
  --parameter-overrides VpcId=<YOUR_VPC_ID> TrustedCidr=10.0.0.0/16
Terraform (optional)

This Terraform configuration creates a security group with Oracle ports restricted to a trusted CIDR block:

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "trusted_cidr" {
  description = "Trusted CIDR block for Oracle access (e.g., 10.0.0.0/16)"
  type        = string
}

resource "aws_security_group" "oracle_secure" {
  name        = "secure-oracle-sg"
  description = "Security group for Oracle database with restricted access"
  vpc_id      = var.vpc_id

  # Oracle listener - restricted to trusted CIDR only
  ingress {
    description = "Oracle listener from trusted network only"
    from_port   = 1521
    to_port     = 1521
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
  }

  # Oracle TLS ports - restricted to trusted CIDR only
  ingress {
    description = "Oracle TLS ports from trusted network only"
    from_port   = 2483
    to_port     = 2484
    protocol    = "tcp"
    cidr_blocks = [var.trusted_cidr]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "secure-oracle-sg"
  }
}

output "security_group_id" {
  description = "ID of the secure Oracle security group"
  value       = aws_security_group.oracle_secure.id
}

Apply with:

terraform apply -var="vpc_id=vpc-xxxxxxxx" -var="trusted_cidr=10.0.0.0/16"

Verification

After making changes, verify the fix worked:

  1. Go to EC2 > Security Groups in the AWS Console
  2. Select your security group and check the Inbound rules tab
  3. Confirm there are no rules with source 0.0.0.0/0 or ::/0 for ports 1521, 2483, or 2484
CLI verification commands

Check if any security groups still have exposed Oracle ports:

# Check for port 1521 exposed to internet
aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=1521" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].GroupId" \
  --output text

# Check for port 2483 exposed to internet
aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=2483" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].GroupId" \
  --output text

# Check for port 2484 exposed to internet
aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=2484" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query "SecurityGroups[*].GroupId" \
  --output text

If the output is empty, no security groups have exposed Oracle ports.

Additional Resources

Notes

  • Test before applying: Removing security group rules can disrupt running applications. Identify all systems that need Oracle access and ensure replacement rules are in place before removing the open rules.

  • Consider architecture changes: For production databases, consider placing Oracle instances in private subnets with no public IP addresses. Use a VPN, AWS Direct Connect, or a bastion host for administrative access.

  • Enable TLS: Oracle port 2484 supports TLS encryption. If you need network-level database access, use TLS on port 2484 rather than unencrypted connections on port 1521.

  • Defense in depth: Combine security groups with Network ACLs for additional protection. Security groups are stateful (return traffic is automatically allowed), while NACLs are stateless and provide an extra layer of control.

  • Compliance frameworks: This check maps to controls in C5, ISO27001, KISA-ISMS-P, NIS2, and SOC2. Remediating this finding helps meet compliance requirements for these frameworks.