Inbound security group rules must not allow all protocols

更新时间:
复制 MD 格式

Evaluates inbound security group rules where Action is set to Allow. The result is Compliant if Protocol Type is not set to All, or if a higher-priority inbound rule denies access over all protocols.

Scenarios

Enforces least-privilege security group configurations to minimize network exposure.

Risk level

Default risk level: high.

You can change the risk level when you apply this rule.

Compliance evaluation logic

  • Compliant: Protocol Type is not set to All, or a higher-priority inbound rule denies access over all protocols.
  • Incompliant: Protocol Type is set to All and no higher-priority inbound rule denies all-protocol access. Follow the Incompliance remediation steps to fix this.
  • This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.

    Note

    Security groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.

Rule details

Item Description
Rule name ecs-security-group-not-open-all-protocol
Rule identifier ecs-security-group-not-open-all-protocol
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter None.

Incompliance remediation

Modify a security group rule. For more information, see Modify a security group rule.