Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an Elastic Compute Service (ECS) instance. If not, the evaluation result is Compliant.

Scenarios

This rule applies when you need to use Security Group to fix security vulnerabilities that occur on each running ECS instances at the earliest opportunity. This way, you can improve system security.

Risk level

Default risk level: medium.

When you apply this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If no unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on each ECS instance, the evaluation result is Compliant.
  • If an unfixed vulnerability of a specified type or a specified level is detected by Security Center on an ECS instance, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
  • This rule does not apply to ECS instances that are not in the running state.

Rule details

Item Description
Rule name ecs-instance-updated-security-vul
Rule identifier ecs-instance-updated-security-vul
Tag ECS, Instance, and SecurityCenter
Automatic remediation Not supported
Trigger type Periodic execution
Evaluation frequency Interval of 24 hours
Supported resource type ECS instance
Input parameter
  • necessity
  • type

Incompliance remediation

Fix vulnerabilities on an ECS instance. For more information, see Basic security services.