Cloud Config:ecs-security-group-risky-ports-check-with-protocol

Scenarios

This rule applies when you need to configure a rule for a security group based on the principle of least privilege (PoLP). This helps you reduce network exposure and ensure the network security of cloud environments.

Risk level

Default risk level: high.

When you apply this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

• If the inbound rule in a security group includes 0.0.0.0/0 but the specified high-risk ports are not within the port range of a specified protocol, the evaluation result is Compliant. If a specified high-risk port is within the port range of a specified protocol but the inbound rule in a security group does not include 0.0.0.0/0, the evaluation result is Compliant. If the access from the high-risk ports is denied by an inbound rule with a higher priority, the evaluation result is Compliant.
• If the inbound rule in a security group includes 0.0.0.0/0 and a specified high-risk port is within the port range of a specified protocol, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see the "Incompliance remediation" section of this topic.
• This rule does not apply to Alibaba Cloud services other than ECS or security groups that are used by virtual network operators (VNOs).

Rule details

Incompliance remediation

Modify the rules of ECS security groups, so that the rules do not contain high-risk ports or that access from high-risk ports is denied by inbound rules with a higher priority. For more information, see Modify security group rules.