A security group is compliant if at least one ECS instance is associated with it. Use this rule to identify and clean up idle security groups.
Scenarios
Regularly delete idle security groups to prevent resource waste and reduce management costs.
Risk level
Default risk level: medium.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
- If at least one ECS instance is associated with a security group, the configuration is considered compliant.
- If no ECS instances are associated with a security group, the configuration is considered incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | ecs-security-group-not-used |
| Rule identifier | ecs-security-group-not-used |
| Tag | ECS and SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None. |
Incompliance remediation
Add an ECS instance to a security group. For more information, see Associate security groups with an instance (primary ENI).
该文章对您有帮助吗?