Evaluates whether a security group restricts inbound access by not opening all ports to 0.0.0.0/0, or by disabling specified high-risk ports when 0.0.0.0/0 is allowed. The configuration is compliant if the inbound CIDR block is not set to 0.0.0.0/0, or if it is set to 0.0.0.0/0 but the specified high-risk ports are disabled.
Scenarios
If an Elastic Compute Service (ECS) instance allows inbound access from all CIDR blocks (0.0.0.0/0), all high-risk ports must be disabled to prevent network security risks.
Risk level
Default risk level: high.
You can change the risk level when you configure this rule.
Compliance evaluation logic
- If the inbound CIDR block of a security group is not set to 0.0.0.0/0, the configuration is considered compliant.
- If the inbound CIDR block of the security group is set to 0.0.0.0/0 but the specified high-risk ports are disabled, the configuration is also considered compliant.
- If the inbound CIDR block of the security group is set to 0.0.0.0/0 and the specified high-risk ports are enabled, the configuration is considered non-compliant. To remediate a non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
| Rule name | sg-risky-ports-check |
| Rule identifier | sg-risky-ports-check |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | ports
Note Separate multiple ports with commas (,). |
Non-compliance remediation
Modify security group rules. For more information, see Modify a security group rule.
该文章对您有帮助吗?