The BestPracticesForSecurityGroups compliance package continuously checks the compliance of security group rules to reduce security risks. This topic describes the managed rules that are provided in the BestPracticesForSecurityGroups compliance package.
Rule name | Rule description |
Checks whether each inbound rule in a security group allows access only from the ports in a specified range when the Authorization Object parameter of the inbound rule is set to 0.0.0.0/0. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether the inbound authorization policy of each security group is set to Allow and the port range is set to -1/-1 or the authorized IP address is set to 0.0.0.0/0, or an authorization policy with a higher priority is configured. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether the Port Range parameter of an inbound rule in a security group is set to All when the Action parameter of the inbound rule is set to Allow. If not, the evaluation result is Compliant. If the Port Range parameter of the inbound rule is set to All but the access from all ports is denied by an inbound rule with a higher priority, the evaluation result is also Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether the Protocol Type parameter of an inbound rule in a security group is set to All when the Action parameter of the inbound rule is set to Allow. If not, the evaluation result is Compliant. If the Protocol Type parameter of the inbound rule is set to All but the access over all protocols is denied by an inbound rule with a higher priority, the evaluation result is also Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether the Authorization Object parameter of an inbound rule is set to a public IP address or public Classless Inter-Domain Routing (CIDR) block when the Action parameter of the inbound rule is set to Allow. If not, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether the outbound rules of each security group deny access from all CIDR blocks. If so, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. | |
Checks whether each ECS instance is added to a specified security group. If so, the evaluation result is Compliant. | |
Checks whether 0.0.0.0/0 is added to the IP address whitelist of each security group and high-risk ports are disabled. If so, the evaluation result is Compliant. If 0.0.0.0/0 is not added to the IP address whitelist of a security group, the evaluation result is Compliant regardless of whether high-risk ports are disabled. If a high-risk port is denied by an authorization policy with a higher priority, the evaluation result is Compliant. If the security groups are used by cloud services or virtual network operators, the evaluation result is Not Applicable. |