sg-risky-ports-check

更新时间:
复制 MD 格式

Evaluates whether a security group restricts inbound access by not opening all ports to 0.0.0.0/0, or by disabling specified high-risk ports when 0.0.0.0/0 is allowed. The configuration is compliant if the inbound CIDR block is not set to 0.0.0.0/0, or if it is set to 0.0.0.0/0 but the specified high-risk ports are disabled.

Scenarios

If an Elastic Compute Service (ECS) instance allows inbound access from all CIDR blocks (0.0.0.0/0), all high-risk ports must be disabled to prevent network security risks.

Risk level

Default risk level: high.

You can change the risk level when you configure this rule.

Compliance evaluation logic

  • If the inbound CIDR block of a security group is not set to 0.0.0.0/0, the configuration is considered compliant.
  • If the inbound CIDR block of the security group is set to 0.0.0.0/0 but the specified high-risk ports are disabled, the configuration is also considered compliant.
  • If the inbound CIDR block of the security group is set to 0.0.0.0/0 and the specified high-risk ports are enabled, the configuration is considered non-compliant. To remediate a non-compliant configuration, see Non-compliance remediation.

Rule details

Item Description
Rule name sg-risky-ports-check
Rule identifier sg-risky-ports-check
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter ports
Note Separate multiple ports with commas (,).

Non-compliance remediation

Modify security group rules. For more information, see Modify a security group rule.