Exposing high-risk ports such as 22 (SSH) and 3389 (RDP) to all IP addresses (0.0.0.0/0) in a security group poses a major security risk. You can use Terraform to create Cloud Config rules to continuously monitor your security group configurations and automatically remediate non-compliant settings, ensuring your system remains secure.
Background
In an enterprise cloud environment, security groups are a core component for controlling network traffic and access to instances. However, in complex, multi-instance scenarios, operational oversights or flawed policy designs can lead to high-risk configurations. Common issues include:
-
Exposing high-risk ports to the internet: For example, opening SSH (port 22), RDP (port 3389), or database service ports (such as 3306 or 6379) to the public internet (
0.0.0.0/0). This makes your instances prime targets for attacks like brute-force attempts and data breaches. -
Mixing internal and public services: Failing to distinguish between instance roles, such as public-facing web servers and internal databases. This can lead to mistakenly granting broad network access to internal services, creating a risk of lateral movement within your network.
Solution
This solution uses Terraform to create Cloud Config rules for continuous monitoring of security group configurations. These rules detect when high-risk ports like 22, 3389, or 3306 are open to the public. When a security group rule is added or modified to allow public access to these ports, Cloud Config automatically triggers a compliance audit. Cloud Config then invokes a Function Compute function to perform the custom remediation. This function uses the Alibaba Cloud SDK to adjust the security group settings, for example, by deleting the non-compliant rule. After remediation, the system re-evaluates the rules to confirm the issue is resolved. You can view the remediation details for any non-compliant resource in the Cloud Config console. This entire process is transparent and traceable, effectively preventing unauthorized public access. This automated approach improves operational efficiency, reduces manual intervention, and ensures your resource configurations meet security standards, thereby strengthening your environment's security and stability.
Create Cloud Config rules with Function Compute remediation
This solution uses Terraform to create Cloud Config rules and integrates with Function Compute for automatic remediation. This enables automated detection and management of cloud resource compliance.
If you are a RAM user, grant the required permissions to the RAM user. For more information, see Grant permissions to RAM users.
You can run the sample code in this topic with one click. Run
This solution directly deletes non-compliant security group rules for automatic remediation. This action may impact business continuity. You must modify the Function Compute remediation code to meet your specific business requirements.
View creation results
-
Log on to the Cloud Config console to view the rule.
The rules list shows the created rule SPM0014 security groups must not allow high-risk ports to be open to all IP addresses. The rule status is In effect, the number of non-compliant resources is 2, the risk level is Critical, and the creation channel is Cloud Config.
-
Log on to the Function Compute console to view the function.
In the Functions list, you can see the successfully created function HHM-FC-TEST, which uses the Python 3.10 runtime.
View remediation results
Before remediation
-
View non-compliant resources in Cloud Config.
The evaluation results for the rule SPM0014 security groups must not allow high-risk ports to be open to all IP addresses show that two of the three evaluated security groups are non-compliant. The non-compliant resources are
sg-bp1lilp19h7x4gz4dfm9(sg-20250411) andsg-bp1hcnsurijy302b8bpi(sg-20230520), indicating that these two ECS security groups expose port 22 or 3389 to all IP addresses. -
Log on to the ECS console to view the security group.
In the left-side navigation pane, choose Network & Security > Security Groups. Go to the security group details page to view the inbound rules. The security group has six inbound rules, all using the Custom TCP protocol. The port ranges are 23/23, 1433/1433, 3389/3389, 1/65535, 6379/6379, and 3306/3306. The authorization object for all rules is
0.0.0.0/0(all IPv4 addresses), and the authorization policy is Allow.
After remediation
-
View automatic remediation details in Cloud Config.
On the rule details page, click the Remediation Details tab to view the remediation settings and execution results. The remediation type is custom remediation, the execution method is Automatic, and the remediation template is
acs:fc:cn-shenzhen:1595149171858855:functions/HHM-FC-TEST. The execution results list shows a Success status for the remediation of all three ECS security groups.
-
View the ECS security group after remediation.
In the left-side navigation pane, click Security Groups, select the China (Hangzhou) region, and go to the details page for security group
sg-bp1hcnsurijy302b8bpi. The Inbound Rules list is empty, which means no inbound rules are configured.
Related documents
-
For information about creating Cloud Config rules, see Create a rule.
-
For more security group configuration examples, see Security group application guide and examples.
-
When creating a rule from a template or creating a custom rule, you can configure custom remediation. To remediate non-compliant resources by using Function Compute, see Set up custom remediation.