Checks whether the specified high-risk ports are mapped by using the DNAT entries of NAT Gateway.
Scenarios
You can disable unnecessary ports to prevent the system from being exposed to network risks.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the specified high-risk ports are not mapped by using the DNAT entries of NAT Gateway, the evaluation result of the rule is Compliant.
- If specific high-risk ports are mapped by using the DNAT entries of NAT Gateway, the evaluation result of the rule is Non-compliant. For more information about how to remediate a non-compliant configuration, see Non-compliance remediation.
Rule details
| Item | Description |
|---|---|
| Rule name | nat-risk-ports-check |
| Rule identifier | nat-risk-ports-check |
| Tag | NAT and NatGateway |
| Automatic remediation | Supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Every 24 hours |
| Supported resource type | NAT gateway |
| Input parameter | portsNote Separate multiple ports with commas (,).
|
Non-compliance remediation
Modify the port settings of the relevant DNAT entries. For more information, see Create and manage DNAT entries.