Checks whether a security group opens high-risk ports to all CIDR blocks.

Scenario

If you want to allow an Elastic Compute Service (ECS) instance to be accessed from all CIDR blocks on the Internet, make sure high-risk ports are disabled. Otherwise, the instance may be prone to network attacks.

Risk level

Default risk level: high.

You can change the risk level as required when you apply this rule.

Compliance evaluation logic

  • If the inbound CIDR block of the security group is not set to 0.0.0.0/0, the configuration is considered compliant.
  • If the inbound CIDR block of the security group is set to 0.0.0.0/0 but the specified high-risk ports are disabled, the configuration is also considered compliant.
  • If the inbound CIDR block of the security group is set to 0.0.0.0/0 and the specified high-risk ports are enabled, the configuration is considered non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.

Rule details

Item Description
Rule name sg-risky-ports-check
Rule ID sg-risky-ports-check
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter ports
Note Separate multiple parameter values with commas (,).

Non-compliance remediation

Modify security group rules. For more information, see Modify security group rules.