Checks whether the inbound access configuration of a security group is valid.
Scenario
Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. You can configure security group rules to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances in security groups.
Risk level
Default risk level: high.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If the port range -1/-1 and the CIDR block 0.0.0.0/0 are not specified at the same time in a security group rule that allows inbound access, the configuration is considered compliant.
- If the port range -1/-1 and the CIDR block 0.0.0.0/0 are specified at the same time in a security group rule that allows inbound access, the configuration is considered non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | sg-public-access-check |
| Rule ID | sg-public-access-check |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None |
Non-compliance remediation
Modify security group rules. For more information, see Modify security group rules.