If an Elastic Compute Service (ECS) instance belongs to a security group that you specify, the instance is evaluated as compliant.
Scenarios
Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering capabilities for defining security domains in the cloud. By configuring security group rules, you can control the inbound and outbound traffic of ECS instances.
Risk level
Default risk level: high.
You can change the risk level when you apply this rule.
Compliance evaluation logic
-
An ECS instance is compliant if it is in a security group you specify for this rule.
-
An ECS instance is non-compliant if it is not in any of the specified security groups. For remediation steps, see Remediation.
Rule details
|
Parameter |
Description |
|
Rule name |
ECS instance is in a specified security group |
|
Rule ID |
ecs-instance-attached-security-group |
|
Tags |
ECS, instance |
|
Automatic remediation |
Not supported |
|
Trigger type |
Configuration change |
|
Supported resource types |
ECS instance |
|
Input parameters |
Note
Separate multiple security group IDs with commas. |
Non-compliance remediation
Change the security group of the ECS instance. For details, see Use security groups.