EC2 instance does not allow ingress from the Internet to TCP ports 389 or 636 (LDAP/LDAPS)
ec2_instance_port_ldap_exposed_to_internet
EC2 instances with security groups permitting Internet-sourced access to LDAP on TCP 389 or LDAPS on TCP 636 are identified.
Public exposure context (presence of public IP and subnet reachability) is considered to gauge how broadly these ports can be accessed.
Risk
Publicly reachable LDAP/LDAPS enables:
- Directory enumeration and weak/anonymous bind attempts
- Password spraying and credential theft (cleartext on
389) - Unauthorized queries causing data exfiltration
Abuse may lead to privilege escalation and availability impact via account lockouts.
prowler aws --checks ec2_instance_port_ldap_exposed_to_internet
prowler aws --checks ec2_instance_port_ldap_exposed_to_internet --fixer
Recommendation
Limit LDAP to trusted networks:
- Allowlist specific source CIDRs in security groups (least privilege)
- Use private connectivity (peering/VPN) instead of Internet
- Require LDAPS, strong certificates, and disable insecure binds
- Add NACLs and monitoring for defense in depth
If external access is required, place a proxy and enforce rate limits.
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --ip-permissions '[{"IpProtocol":"tcp","FromPort":389,"ToPort":389,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]},{"IpProtocol":"tcp","FromPort":636,"ToPort":636,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]'
- In the AWS Console, go to EC2 > Security Groups
- Select the security group attached to the affected instance
- In Inbound rules, find rules for TCP 389 or 636 with Source set to Anywhere (0.0.0.0/0 or ::/0)
- Delete those rule(s)
- (If access is required) Add inbound rules for TCP 389 and/or 636 scoped to specific trusted CIDR(s) only
- Save rules
Source Code
Resource Type
AwsEc2Instance