ECS security group inbound rules must not open all ports

更新时间:
复制 MD 格式

Evaluates whether an inbound security group rule with Action set to Allow has Port Range set to All. The rule is compliant if Port Range is not All, or if a higher-priority rule denies access on all ports.

Scenarios

Apply this rule to enforce least-privilege security group configurations and reduce network exposure in your cloud environment.

Risk level

Default risk level: high.

You can change the risk level based on your business requirements.

Compliance evaluation logic

  • Compliant: The Port Range of an Allow inbound rule is not set to All, or an inbound rule with a higher priority denies access on all ports.
  • Incompliant: The Port Range is set to All and no higher-priority inbound rule denies access. To fix this, see Incompliance remediation.
  • This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.

    Note

    Security groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.

Rule details

Item Description
Rule name ecs-security-group-not-open-all-port
Rule identifier ecs-security-group-not-open-all-port
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter None.

Incompliance remediation

Modify a security group rule. For more information, see Modify a security group rule.