Evaluates security groups as Compliant if their outbound rules do not allow access from all CIDR blocks.
Scenarios
Use this rule to enforce the principle of least privilege (PoLP) for security groups, reducing network exposure and protecting cloud environments.
Risk level
Default risk level: high.
You can change the risk level based on your business requirements when you apply this rule.
Compliance evaluation logic
- If the outbound rules of each security group do not allow access from all CIDR blocks, the evaluation result is Compliant.
- If the outbound rules of each security group allow access from all CIDR blocks, the evaluation result is Incompliant. To remediate an incompliant configuration, see Incompliance remediation.
This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.
NoteSecurity groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.
Rule details
| Item | Description |
| Rule name | ecs-security-group-egress-not-all-access |
| Rule identifier | ecs-security-group-egress-not-all-access |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger Type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None. |
Incompliance remediation
Modify the security group rule. For more information, see Modify a security group rule.