sg-public-access-check

更新时间:
复制 MD 格式

Evaluates whether the inbound rules of a security group expose all ports to the public internet.

Scenario

Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering capabilities to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances.

Risk level

Default risk level: high.

You can change the risk level when you apply this rule.

Compliance evaluation logic

  • If the port range -1/-1 and the CIDR block 0.0.0.0/0 are not both specified in a security group rule that allows inbound access, the configuration is compliant.
  • If the port range -1/-1 and the CIDR block 0.0.0.0/0 are both specified in a security group rule that allows inbound access, the configuration is non-compliant. To correct the configuration, seeNon-compliance remediation.

Rule details

Item Description
Rule name sg-public-access-check
Rule ID sg-public-access-check
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter None

Non-compliance remediation

Modify the security group rules. For more information, seeModify a security group rule.