Evaluates whether an inbound security group rule with Action set to Allow has Port Range set to All. The rule is compliant if Port Range is not All, or if a higher-priority rule denies access on all ports.
Scenarios
Apply this rule to enforce least-privilege security group configurations and reduce network exposure in your cloud environment.
Risk level
Default risk level: high.
You can change the risk level based on your business requirements.
Compliance evaluation logic
- Compliant: The Port Range of an Allow inbound rule is not set to All, or an inbound rule with a higher priority denies access on all ports.
- Incompliant: The Port Range is set to All and no higher-priority inbound rule denies access. To fix this, see Incompliance remediation.
This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.
NoteSecurity groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.
Rule details
| Item | Description |
| Rule name | ecs-security-group-not-open-all-port |
| Rule identifier | ecs-security-group-not-open-all-port |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None. |
Incompliance remediation
Modify a security group rule. For more information, see Modify a security group rule.