Checks whether the inbound Classless Inter-Domain Routing (CIDR) block of a security group is not set to 0.0.0.0/0, or the inbound CIDR block of a security group is set to 0.0.0.0/0 but specified high-risk ports are disabled. If the inbound CIDR block of a security group is not set to 0.0.0.0/0, or the inbound CIDR block of a security group is set to 0.0.0.0/0 but specified high-risk ports are disabled, the configuration is considered compliant.
Scenarios
You must disable all high-risk ports when you allow access to an Elastic Compute Service (ECS) instance from all CIDR blocks over the Internet. This ensures the network security of your system.
Risk level
Default risk level: high.
When you configure this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the inbound CIDR block of a security group is not set to 0.0.0.0/0, the configuration is considered compliant.
- If the inbound CIDR block of the security group is set to 0.0.0.0/0 but the specified high-risk ports are disabled, the configuration is also considered compliant.
- If the inbound CIDR block of the security group is set to 0.0.0.0/0 and the specified high-risk ports are enabled, the configuration is considered incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | sg-risky-ports-check |
| Rule identifier | sg-risky-ports-check |
| Tag | SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | portsNote Separate multiple ports with commas (,). |
Incompliance remediation
Modify security group rules. For more information, see Modify a security group rule.