Evaluates inbound security group rules where Action is set to Allow. The result is Compliant if Protocol Type is not set to All, or if a higher-priority inbound rule denies access over all protocols.
Scenarios
Enforces least-privilege security group configurations to minimize network exposure.
Risk level
Default risk level: high.
You can change the risk level when you apply this rule.
Compliance evaluation logic
- Compliant: Protocol Type is not set to All, or a higher-priority inbound rule denies access over all protocols.
- Incompliant: Protocol Type is set to All and no higher-priority inbound rule denies all-protocol access. Follow the Incompliance remediation steps to fix this.
This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.
NoteSecurity groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.
Rule details
| Item | Description |
| Rule name | ecs-security-group-not-open-all-protocol |
| Rule identifier | ecs-security-group-not-open-all-protocol |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None. |
Incompliance remediation
Modify a security group rule. For more information, see Modify a security group rule.