Checks whether the Authorization Object parameter of an inbound rule is set to a public IP address or public Classless Inter-Domain Routing (CIDR) block when the Action parameter of the inbound rule is set to Allow. If not, the evaluation result is Compliant.
Scenarios
Proceed with caution when you add public CIDR blocks to the whitelist of an ECS instance. This helps isolate networks and ensure the network security of cloud environments.
Risk level
Default risk level: high.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the Authorization Object parameter of each inbound rule is not set to a public IP address or public CIDR block when the Action parameter of the inbound rule is set to Allow, the evaluation result is Compliant.
- If the Authorization Object parameter of an inbound rule is set to a public IP address or public CIDR block when the Action parameter of the inbound rule is set to Allow, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
- This rule applies only to Elastic Compute Service (ECS). This rule does not apply
to other Alibaba Cloud services, such as Cloud Firewall (CFW) and NAT Gateway, or
security groups that are used by virtual network operators (VNOs).
Note Security groups that are created by using Alibaba Cloud services except ECS in managed mode are called managed security groups. For more information about managed security groups, see Managed security groups.
Rule details
| Item | Description |
|---|---|
| Rule name | ecs-security-group-not-internet-cidr-access |
| Rule identifier | ecs-security-group-not-internet-cidr-access |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None. |
Incompliance remediation
Modify a security group rule. For more information, see Modify security group rules.