Improper security group configurations may lead to security incidents. Security group checks can detect weak rules in Elastic Compute Service (ECS) security groups and provide solutions. This allows you to use the security group feature in a more secure and efficient way. This topic describes how to check security group configurations in the Security Center console.

Background information

The security group check feature is supported for all editions of Security Center.

A security group functions as a virtual firewall and applies only to Alibaba Cloud ECS instances. Security group checks support basic and advanced security groups. For more information about security groups, see Overview.

The security group check feature is provided by Cloud Firewall. You can log on to Cloud Firewall console to use more network security features. For more information about security group check items, see Supported check items.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Security group check.
  3. Optional:On the Security Check page, click Obtain Latest Check Results.
    The check requires 1 to 5 minutes.Security Check
    Note The latest check results are obtained based on the static analysis of security group rules and may not cover all port risks. You can view complete check results about port exposure on the Internet Access page. For more information, see Internet access.
  4. Optional:On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
    Before you can use the security group check feature, you must assign the following roles to the current account: AliyunCloudFirewallAccessingECSRole and AliyunCloudFirewallDefautlRole. If you have performed the authorization, skip this step.
  5. In the Check Result Details section, view the details of rules that are used in detecting security risks.List of security risk rules
    You can view the Risk Level, Check Item, Risky Security Groups/Servers, and Check Item Status of a rule.
    Note Each check item is enabled by default. If you want to disable a check item, you can click Status icon below the Check Item Status column. After the check item is disabled, Cloud Firewall does not check the security risks in the check item.
  6. Manage weak security group rules.
    1. Find the rule that you want to manage and click View Details in the Actions column.
      Alternatively, click the number in the Risky Security Groups/Servers column to go to the Details page.
    2. On the Details page, find the security group for which you want to fix an issue and click Fix Issue in the Actions column.Details
      Improper security group configurations may lead to security incidents. The Details page provides a Suggestion to manage the security group risk. You can manage the risk based on the Suggestion.
      If you are using Cloud Firewall Premium, Enterprise, or Ultimate edition, you are redirected to the Security Groups page. You must manage security group risks based on the Suggestion. For more information, see Modify security group rules. If you are using the Cloud Firewall Basic edition, you must perform substep c.
    3. Optional:In the Cloud Firewall Premium Edition dialog box, click Upgrade Now or Fix Issue.
      You can use one of the following methods to manage security group risks:
      • Upgrade Now: You can purchase the Cloud Firewall Premium edition and use the security group check function. This function is provided by Cloud Firewall to manage security group risks. We recommend that you select this method. You can use Cloud Firewall to centrally manage security groups and access control policies of public IP addresses. This reduces assets exposure and improves efficiency of security management.
      • Fix Issue: You can go to the Security Groups page to manually manage the risk. For more information, see Modify security group rules.

Supported check items

Name Risk Suggestion
Open remote operations and maintenance (O&M) ports of Linux servers Port 22 allows requests from all IP addresses. The associated Linux servers may be cracked. We recommend that you deny the access of public IP addresses to port 22 on the Security Groups page of the ECS console. If your services require access to port 22, we recommend that you allow only specific public IP addresses to access port 22 or use Bastionhost for remote O&M. For more information, see What is Bastionhost?.
Open remote O&M ports of Windows servers Port 3389 allows requests from all IP addresses. The associated Windows servers may be cracked. We recommend that you deny the access of public IP addresses to port 3389 on the Security Groups page of the ECS console. If your services require access to port 3389, we recommend that you allow only specific public IP addresses to access port 22 or use Bastionhost for remote O&M. For more information, see What is Bastionhost?.
Open remote O&M ports of DB2 databases Port 50000 allows requests from all IP addresses. The associated DB2 databases may be cracked. We recommend that you deny the access of public IP addresses to port 50000 on the Security Groups page of the ECS console.
Excessive security groups An ECS instance is added to three or more security groups. This makes O&M difficult and increases the risk of incorrect configurations. We recommend that you add an ECS instance to a maximum of two security groups. For more information, see Overview.
Open remote O&M ports of Elasticsearch Ports 9200 and 9300 allow requests from all IP addresses. The associated Elasticsearch clusters may be cracked. We recommend that you deny the access of public IP addresses to ports 9200 and 9300 on the Security Groups page of the ECS console.
Open remote O&M ports of Hadoop YARN Port 8088 allows requests from all IP addresses. The associated Hadoop YARN may be cracked. We recommend that you deny the access of public IP addresses to port 8088 on the Security Groups page of the ECS console.
Open remote O&M ports of Hadoop Ports 50070 and 50030 allow requests from all IP addresses. The associated Hadoop may be cracked. We recommend that you deny the access of public IP addresses to ports 50070 and 50030 on the Security Groups page of the ECS console.
Open remote O&M ports of ApsaraDB for MongoDB Port 27017 allows requests from all IP addresses. The associated ApsaraDB for MongoDB may be cracked. We recommend that you deny the access of public IP addresses to port 27017 on the Security Groups page of the ECS console.
Open remote O&M ports of Alibaba Cloud services that support MySQL database engines Port 3306 allows requests from all IP addresses. The associated Alibaba Cloud services that support MySQL database engines may be cracked. We recommend that you deny the access of public IP addresses to port 3306 on the Security Groups page of the ECS console.
Open remote O&M ports of Alibaba Cloud services that support Oracle database engines Port 1521 allows requests from all IP addresses. The associated Alibaba Cloud services that support Oracle database engines may be cracked. We recommend that you deny the access of public IP addresses to port 1521 on the Security Groups page of the ECS console.
Open remote O&M ports of Alibaba Cloud services that support PostgreSQL database engines Port 5432 allows requests from all IP addresses. The associated Alibaba Cloud services that support PostgreSQL database engines may be cracked. We recommend that you deny the access of public IP addresses to port 5432 on the Security Groups page of the ECS console.
Open remote O&M ports of ApsaraDB for Redis databases Port 6379 allows requests from all IP addresses. The associated ApsaraDB for Redis databases may be cracked. We recommend that you deny the access of public IP addresses to port 6379 on the Security Groups page of the ECS console.
Open remote O&M ports of ApsaraDB RDS for SQL Server Port 1433 allows requests from all IP addresses. The associated ApsaraDB RDS for SQL Server may be cracked. We recommend that you deny the access of public IP addresses to port 1433 on the Security Groups page of the ECS console.
Open remote O&M ports of Spark clusters Port 6066 allows requests from all IP addresses. The associated Spark clusters may be cracked. We recommend that you deny the access of public IP addresses to port 6066 on the Security Groups page of the ECS console.
Open remote O&M ports of Splunk instances Ports 8089 and 8090 allow requests from all IP addresses. The associated Splunk instances may be cracked. We recommend that you deny the access of public IP addresses to ports 8089 and 8090 on the Security Groups page of the ECS console.
Open ports of security groups Security groups are configured to allow all IP addresses to access any ports. The associated servers may be cracked. We recommend that you configure security groups to allow requests from specific IP addresses.