Ensure No EC2 Instances Allow Ingress from the Internet to TCP Port 3389 (RDP)

Overview

This check identifies EC2 instances whose security groups allow unrestricted Remote Desktop Protocol (RDP) traffic on TCP port 3389 from the internet (0.0.0.0/0 or ::/0). RDP is Microsoft's protocol for remote access to Windows systems, and exposing it publicly is a critical security risk.

Risk

Exposing RDP to the internet creates serious attack vectors:

Brute force attacks: Attackers can attempt thousands of password combinations to gain access
Credential theft: Compromised or weak passwords can be exploited
Ransomware deployment: Attackers frequently use exposed RDP as an entry point for ransomware
Lateral movement: Once inside, attackers can move through your network and access other resources
Data exfiltration: Sensitive data can be stolen from compromised systems

This is rated as a critical severity finding because internet-exposed RDP is one of the most common attack vectors used by threat actors.

Remediation Steps

Prerequisites

You need permission to modify EC2 security groups in your AWS account. If you plan to restrict RDP access to specific IP addresses, have those IP ranges ready (e.g., your corporate VPN or office IP addresses).

Setting up AWS CLI (optional)

If you prefer using the command line, ensure you have the AWS CLI installed and configured:

# Verify AWS CLI is installed
aws --version

# Configure credentials if needed
aws configure

# Verify access
aws sts get-caller-identity

AWS Console Method

Open the EC2 Console in us-east-1
In the left navigation, click Instances
Select the affected EC2 instance
Click the Security tab at the bottom of the page
Click the security group link under Security groups
Click Edit inbound rules
Find any rule with:
- Type: RDP (or Custom TCP with port 3389)
- Source: 0.0.0.0/0 or ::/0
Either:
- Delete the rule by clicking the X button (if RDP access is not needed), or
- Restrict the source to a specific IP or CIDR block (e.g., 10.0.0.0/8 for your VPN)
Click Save rules

Important: If you need remote access to Windows instances, consider using AWS Systems Manager Session Manager instead, which provides secure access without opening any inbound ports.

AWS CLI (optional)

Step 1: Identify the security group with the exposed rule

# Find security groups allowing RDP from anywhere
aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=3389" \
            "Name=ip-permission.to-port,Values=3389" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query 'SecurityGroups[*].[GroupId,GroupName]' \
  --output table

Step 2: Remove the overly permissive rule

# Remove the rule allowing RDP from anywhere (IPv4)
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 3389 \
  --cidr 0.0.0.0/0

# Also remove IPv6 rule if present
aws ec2 revoke-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 3389 \
  --cidr ::/0

Step 3 (optional): Add a restricted rule if RDP access is still needed

# Add RDP access from a specific trusted CIDR only
aws ec2 authorize-security-group-ingress \
  --region us-east-1 \
  --group-id <SECURITY_GROUP_ID> \
  --protocol tcp \
  --port 3389 \
  --cidr <YOUR_TRUSTED_CIDR>

Replace <SECURITY_GROUP_ID> with your security group ID (e.g., sg-0123456789abcdef0) and <YOUR_TRUSTED_CIDR> with your allowed IP range (e.g., 10.0.0.0/8).

CloudFormation (optional)

Use this template to create a security group with properly restricted RDP access:

AWSTemplateFormatVersion: '2010-09-09'
Description: Security group with restricted RDP access

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID where the security group will be created
  AllowedCidr:
    Type: String
    Description: CIDR block allowed for RDP access (e.g., your corporate VPN)
    Default: 10.0.0.0/8

Resources:
  RestrictedRDPSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group with restricted RDP access
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: !Ref AllowedCidr
          Description: RDP access from trusted network only
      Tags:
        - Key: Name
          Value: restricted-rdp-sg

Outputs:
  SecurityGroupId:
    Description: ID of the security group
    Value: !Ref RestrictedRDPSecurityGroup

Deploy the stack:

aws cloudformation deploy \
  --region us-east-1 \
  --stack-name restricted-rdp-sg \
  --template-file template.yaml \
  --parameter-overrides VpcId=<YOUR_VPC_ID> AllowedCidr=<YOUR_TRUSTED_CIDR>

Terraform (optional)

variable "vpc_id" {
  description = "VPC ID where the security group will be created"
  type        = string
}

variable "allowed_cidr" {
  description = "CIDR block allowed for RDP access (e.g., your corporate VPN)"
  type        = string
  default     = "10.0.0.0/8"
}

resource "aws_security_group" "restricted_rdp" {
  name        = "restricted-rdp-sg"
  description = "Security group with restricted RDP access"
  vpc_id      = var.vpc_id

  ingress {
    description = "RDP access from trusted network only"
    from_port   = 3389
    to_port     = 3389
    protocol    = "tcp"
    cidr_blocks = [var.allowed_cidr]
  }

  tags = {
    Name = "restricted-rdp-sg"
  }
}

output "security_group_id" {
  description = "ID of the security group"
  value       = aws_security_group.restricted_rdp.id
}

Apply the configuration:

terraform init
terraform apply -var="vpc_id=<YOUR_VPC_ID>" -var="allowed_cidr=<YOUR_TRUSTED_CIDR>"

Verification

After making changes, verify the fix in the AWS Console:

Go to EC2 > Security Groups
Select your security group
Check the Inbound rules tab
Confirm there are no rules allowing port 3389 from 0.0.0.0/0 or ::/0

CLI verification commands

# Verify no security groups allow RDP from anywhere
aws ec2 describe-security-groups \
  --region us-east-1 \
  --filters "Name=ip-permission.from-port,Values=3389" \
            "Name=ip-permission.to-port,Values=3389" \
            "Name=ip-permission.cidr,Values=0.0.0.0/0" \
  --query 'SecurityGroups[*].GroupId' \
  --output text

# Should return empty if properly remediated

You can also re-run the Prowler check to confirm:

prowler aws --check ec2_instance_port_rdp_exposed_to_internet --region us-east-1

Additional Resources

AWS Security Groups Documentation
AWS Systems Manager Session Manager - Recommended alternative to RDP
AWS Well-Architected Security Pillar
CISA Alert on RDP Exploitation

Notes

Service interruption: Removing RDP access may disconnect active remote desktop sessions. Coordinate with users before making changes.
Better alternatives: Consider using AWS Systems Manager Session Manager for remote access. It requires no inbound ports and provides audit logging.
VPN access: If RDP is required, route it through a VPN rather than exposing it directly to the internet.
Network Level Authentication (NLA): If RDP must remain accessible, ensure NLA is enabled on Windows instances for an additional layer of protection.
Monitoring: Enable VPC Flow Logs and CloudTrail to monitor for unauthorized access attempts.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Verification​

Additional Resources​

Notes​