Checks whether each Elastic Compute Service (ECS) instance is added to the specified security group.
Scenarios
Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. You can configure security group rules to control the inbound and outbound traffic of ECS instances in security groups.
Risk level
Default risk level: high.
You can change the risk level as required when you apply this rule.
Compliance evaluation logic
- If each ECS instance is added to the specified security group, the evaluation result is compliant.
- If an ECS instance is not added to the specified security group, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | ecs-instance-attached-security-group |
| Rule ID | ecs-instance-attached-security-group |
| Tag | ECS and Instance |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS instance |
| Input parameter | securityGroupIdsNote Separate multiple security group IDs with commas (,).
|
Non-compliance remediation
For more information about how to change the security group of an ECS instance, see Replace security groups of an ECS instance.