ecs-security-group-egress-not-all-access

更新时间:
复制 MD 格式

Evaluates security groups as Compliant if their outbound rules do not allow access from all CIDR blocks.

Scenarios

Use this rule to enforce the principle of least privilege (PoLP) for security groups, reducing network exposure and protecting cloud environments.

Risk level

Default risk level: high.

You can change the risk level based on your business requirements when you apply this rule.

Compliance evaluation logic

  • If the outbound rules of each security group do not allow access from all CIDR blocks, the evaluation result is Compliant.
  • If the outbound rules of each security group allow access from all CIDR blocks, the evaluation result is Incompliant. To remediate an incompliant configuration, see Incompliance remediation.
  • This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.

    Note

    Security groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.

Rule details

Item Description
Rule name ecs-security-group-egress-not-all-access
Rule identifier ecs-security-group-egress-not-all-access
Tag SecurityGroup
Automatic remediation Not supported
Trigger Type Configuration change
Supported resource type ECS security group
Input parameter None.

Incompliance remediation

Modify the security group rule. For more information, see Modify a security group rule.