How can I troubleshoot the error "InvalidPermission.NotFound" with the AWS Config rule vpc-sg-open-only-to-authorized-ports and Systems Manager Automation document AWS-DisablePublicAccessForSecurityGroup?

Last updated: 2020-08-12

I created the AWS Systems Manager Automation document AWS-DisablePublicAccessForSecurityGroup to disable SSH and RDP ports. However, auto-remediation fails with the AWS Config rule vpc-sg-open-only-to-authorized-ports. I receive an error similar to the following:

"An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group."  

Short description

The AWS Config rule checks that the security group allows inbound TCP or UDP traffic to 0.0.0.0/0. For example, to allow TCP ports 443 and 1020-1025 access to 0.0.0.0/0, specify the ports in the AWS Config rule parameter. The SSM Document AWS-DisablePublicAccessForSecurityGroup is limited to the default SSH 22 and RDP 3389 ports opened to all IP addresses (0.0.0.0/0), or a specified IPv4 address using the IpAddressToBlock parameter.

Resolution

The client error InvalidPermission.NotFound with the RevokeSecurityGroupIngress API action means that the target security group doesn't have an inbound rule, or isn't located in the default Amazon Virtual Private Cloud (Amazon VPC).

Important: Before you begin, be sure that you installed and configured the AWS Command Line Interface (AWS CLI).

To verify the error message, run the AWS CLI command describe-remediation-execution-status similar to the following:

aws configservice describe-remediation-execution-status --config-rule-name vpc-sg-open-only-to-authorized-ports --region af-south-1 --resource-keys resourceType=AWS::EC2::SecurityGroup,resourceId=sg-1234567891234567891

The inbound rules for the security group must specify open ports using one of the following patterns:

0.0.0.0/0

::/0

SSH or RDP port + 0.0.0.0/0

SSH or RDP port + ::/0

To configure auto-remediation for other ports including 22 and 3389, you can use a custom SSM document to automate the process. For instructions, see Creating Systems Manager documents.