Effective inbound settings for non-whitelisted ports in security groups

更新时间:
复制 MD 格式

Checks that inbound rules from 0.0.0.0/0 deny traffic on all ports not explicitly whitelisted, reducing the network attack surface.

Scenarios

Enforce the least-privilege inbound policy for security groups to minimize the network attack surface.

Threat level

Default threat level: High.

You can change the threat level of this rule as needed.

Detection logic

  • Compliant: the inbound rule from 0.0.0.0/0 sets the authorization policy to Deny for all non-whitelisted ports.

  • Non-compliant: the authorization policy is set to Allow for any non-whitelisted port from 0.0.0.0/0. See Remediation.

  • This rule does not apply to security groups used by Alibaba Cloud services other than ECS, such as Cloud Firewall and NAT Gateway, or by virtual server providers. These security groups are marked as inapplicable.

    Note

    Security groups that are created in managed mode by Alibaba Cloud services other than ECS are called managed security groups. For more information about managed security groups, see Managed security groups.

Rule details

Parameter

Description

Rule name

Effective inbound settings for non-whitelisted ports in security groups

Rule identifier

ecs-security-group-white-list-port-check

Tag

SecurityGroup

Automated Correction

Not supported

Rule trigger mechanism

Configuration change

Supported resource types

ECS security group

Input parameters

ports

Note

Separate multiple port specifications with commas (,).

Remediation

To fix non-compliant resources, modify the security group rules to deny inbound traffic on non-whitelisted ports.