Evaluates whether the inbound rules of a security group expose all ports to the public internet.
Scenario
Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI) and packet filtering capabilities to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances.
Risk level
Default risk level: high.
You can change the risk level when you apply this rule.
Compliance evaluation logic
- If the port range -1/-1 and the CIDR block 0.0.0.0/0 are not both specified in a security group rule that allows inbound access, the configuration is compliant.
- If the port range -1/-1 and the CIDR block 0.0.0.0/0 are both specified in a security group rule that allows inbound access, the configuration is non-compliant. To correct the configuration, seeNon-compliance remediation.
Rule details
| Item | Description |
| Rule name | sg-public-access-check |
| Rule ID | sg-public-access-check |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None |
Non-compliance remediation
Modify the security group rules. For more information, seeModify a security group rule.
该文章对您有帮助吗?