Checks whether unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on an Elastic Compute Service (ECS) instance. If not, the evaluation result is Compliant.
Scenarios
This rule applies when you need to use Security Group to fix security vulnerabilities that occur on each running ECS instances at the earliest opportunity. This way, you can improve system security.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If no unfixed vulnerabilities of a specified type or a specified level are detected by Security Center on each ECS instance, the evaluation result is Compliant.
- If an unfixed vulnerability of a specified type or a specified level is detected by Security Center on an ECS instance, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
- This rule does not apply to ECS instances that are not in the running state.
Rule details
| Item | Description |
|---|---|
| Rule name | ecs-instance-updated-security-vul |
| Rule identifier | ecs-instance-updated-security-vul |
| Tag | ECS, Instance, and SecurityCenter |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | ECS instance |
| Input parameter |
|
Incompliance remediation
Fix vulnerabilities on an ECS instance. For more information, see Basic security services.