Checks that inbound rules from 0.0.0.0/0 deny traffic on all ports not explicitly whitelisted, reducing the network attack surface.
Scenarios
Enforce the least-privilege inbound policy for security groups to minimize the network attack surface.
Threat level
Default threat level: High.
You can change the threat level of this rule as needed.
Detection logic
-
Compliant: the inbound rule from 0.0.0.0/0 sets the authorization policy to Deny for all non-whitelisted ports.
-
Non-compliant: the authorization policy is set to Allow for any non-whitelisted port from 0.0.0.0/0. See Remediation.
This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.
NoteSecurity groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.
Rule details
|
Parameter |
Description |
|
Rule name |
Effective inbound settings for non-whitelisted ports in security groups |
|
Rule identifier |
ecs-security-group-white-list-port-check |
|
Tag |
SecurityGroup |
|
Automated Correction |
Not supported |
|
Rule trigger mechanism |
Configuration change |
|
Supported resource types |
ECS security group |
|
Input parameters |
Note
Separate multiple port specifications with commas (,). |
Remediation
To fix non-compliant resources, modify the security group rules to deny inbound traffic on non-whitelisted ports.