Check provider logo

EC2 instance does not allow ingress from the Internet to TCP ports 88, 464, 749, or 750 (Kerberos)

ec2_instance_port_kerberos_exposed_to_internet

Severitycritical
Serviceec2
by Prowler
internet-exposed

EC2 instances whose security groups allow public inbound TCP access to Kerberos ports 88, 464, 749, or 750 (authentication, password change, admin).

Rules permitting 0.0.0.0/0 or ::/0 are treated as Internet-exposed.

Risk

Public Kerberos exposure risks CIA:

  • Password spraying/AS-REP roasting against accounts
  • Unauthorized password changes on 464
  • Realm/user enumeration and DoS of KDC/services

Stolen tickets enable lateral movement and privilege escalation in Active Directory or the Kerberos realm.

Run this check with Prowler CLI

prowler aws --checks ec2_instance_port_kerberos_exposed_to_internet

Run in Prowler Cloud
Fix finding with Prowler CLI

prowler aws --checks ec2_instance_port_kerberos_exposed_to_internet --fixer

Recommendation

Restrict Kerberos ports to trusted sources only.

  • Prefer private connectivity (VPN, peering) over public exposure
  • Place KDCs/services in private subnets without public IPs
  • Apply least privilege with narrowly scoped security group rules and NACLs
  • Add defense-in-depth: host firewalls and monitor authentication activity

Remediation

CLI

aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --ip-permissions '[{"IpProtocol":"tcp","FromPort":88,"ToPort":88,"IpRanges":[{"CidrIp":"0.0.0.0/0"}],"Ipv6Ranges":[{"CidrIpv6":"::/0"}]},{"IpProtocol":"tcp","FromPort":464,"ToPort":464,"IpRanges":[{"CidrIp":"0.0.0.0/0"}],"Ipv6Ranges":[{"CidrIpv6":"::/0"}]},{"IpProtocol":"tcp","FromPort":749,"ToPort":749,"IpRanges":[{"CidrIp":"0.0.0.0/0"}],"Ipv6Ranges":[{"CidrIpv6":"::/0"}]},{"IpProtocol":"tcp","FromPort":750,"ToPort":750,"IpRanges":[{"CidrIp":"0.0.0.0/0"}],"Ipv6Ranges":[{"CidrIpv6":"::/0"}]}]'

Native IaC
Terraform
Other
  1. In the AWS console, go to EC2 > Security Groups
  2. Select the security group attached to the affected instance
  3. Edit inbound rules
  4. Remove any rule allowing TCP ports 88, 464, 749, or 750 from 0.0.0.0/0 or ::/0
  5. If access is required, re-add these ports only from trusted CIDR(s) (e.g., your internal network)
  6. Save rules

Source Code

Resource Type

AwsEc2Instance

References