Improper configuration of security group rules may cause security risks. Cloud Firewall provides the security check feature to check for rules that put your assets at risk in Elastic Compute Service (ECS) security groups. The feature also provides solutions. This allows you to use security groups in a more secure and efficient manner. This topic describes how to use the security check feature in the Cloud Firewall console.

Background information

A security group is a virtual firewall that is used to protect ECS instances in Alibaba Cloud. The security check feature supports both basic and advanced security groups. For more information, see Overview.

For more information about the check items supported by the security check feature, see Supported check items.

Supported editions

Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall support the security check feature.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Policy Assistant.
  3. Optional:On the Policy Assistant page, click Obtain Latest Check Results.
    The check requires 1 to 5 minutes. Obtain Latest Check Results
    Note The latest results are obtained based on the static analysis of security group rules and may not include all port risks. You can view complete check results about port exposure on the Internet Access page. For more information, see Internet access.
  4. In the Check Result Details section, view the details about the check items based on which security risks are detected.
    You can view the following information about a check item: Risk Level, Check Item, Risky Security Groups/Servers, and Check Item Status.
    Note You can turn on or off Check Item Status. If you turn off Check Item Status for a check item, the check item is not used.
  5. Modify the security group rules that put your assets at risk
    1. Find the check item that you want to manage and click View Details in the Actions column.
      You can also click the number in the Risky Security Groups/Servers column to go to the Details page.
    2. On the Details page, find the security group whose rules you want to modify and click Fix Issue in the Actions column. Details
      You can also click the security group ID in the Risky Security Group ID/Name column to go to the Security Groups page of the ECS console and modify the security group rules that put your assets at risk.
      Warning Improper configuration of security group rules may cause security risks. The Details page provides suggestions to modify the security group rules that put your assets at risk. We recommend that you modify the security group rules that put your assets at risk based on the suggestions at the earliest opportunity.

References

If you use Free Edition of Cloud Firewall, you can click Upgrade now or Manually fix issue. Upgrade your Cloud Firewall to intelligently fix the issues and get advanced features
  • Upgrade now: You can purchase Premium Edition or a higher edition and use the security check feature to fix security group rules that put your assets at risk. You can use Cloud Firewall to manage security groups and access control policies of public IP addresses in a centralized manner. This reduces the risks of asset exposure and improves the efficiency of security management. This method is recommended.
  • Manually fix issue: You are redirected to the Security Groups page of the ECS console. You can manually fix the security group rules that put your assets at risk. For more information, see Modify security group rules.

Supported check items

Name Risk Suggestion
Open remote operations and maintenance (O&M) ports of Linux servers Port 22 allows requests from all IP addresses. The associated Linux servers may be cracked. We recommend that you deny the access of public IP addresses to port 22 on the Security Groups page of the ECS console. If your services require access to port 22, we recommend that you allow only specific public IP addresses to access port 22 or use Bastionhost for remote O&M. For more information, see What is Bastionhost?.
Open remote O&M ports of Windows servers Port 3389 allows requests from all IP addresses. The associated Windows servers may be cracked. We recommend that you deny the access of public IP addresses to port 3389 on the Security Groups page of the ECS console. If your services require access to port 3389, we recommend that you allow only specific public IP addresses to access port 22 or use Bastionhost for remote O&M. For more information, see What is Bastionhost?.
Open remote O&M ports of DB2 databases Port 50000 allows requests from all IP addresses. The associated DB2 databases may be cracked. We recommend that you deny the access of public IP addresses to port 50000 on the Security Groups page of the ECS console.
Excessive security groups An ECS instance is added to three or more security groups. This makes O&M difficult and increases the risk of incorrect configurations. We recommend that you add an ECS instance to a maximum of two security groups. For more information, see Overview.
Open remote O&M ports of Elasticsearch Ports 9200 and 9300 allow requests from all IP addresses. The associated Elasticsearch clusters may be cracked. We recommend that you deny the access of public IP addresses to ports 9200 and 9300 on the Security Groups page of the ECS console.
Open remote O&M ports of Hadoop YARN Port 8088 allows requests from all IP addresses. The associated Hadoop YARN may be cracked. We recommend that you deny the access of public IP addresses to port 8088 on the Security Groups page of the ECS console.
Open remote O&M ports of Hadoop Ports 50070 and 50030 allow requests from all IP addresses. The associated Hadoop may be cracked. We recommend that you deny the access of public IP addresses to ports 50070 and 50030 on the Security Groups page of the ECS console.
Open remote O&M ports of ApsaraDB for MongoDB Port 27017 allows requests from all IP addresses. The associated ApsaraDB for MongoDB may be cracked. We recommend that you deny the access of public IP addresses to port 27017 on the Security Groups page of the ECS console.
Open remote O&M ports of Alibaba Cloud services that support MySQL database engines Port 3306 allows requests from all IP addresses. The associated Alibaba Cloud services that support MySQL database engines may be cracked. We recommend that you deny the access of public IP addresses to port 3306 on the Security Groups page of the ECS console.
Open remote O&M ports of Alibaba Cloud services that support Oracle database engines Port 1521 allows requests from all IP addresses. The associated Alibaba Cloud services that support Oracle database engines may be cracked. We recommend that you deny the access of public IP addresses to port 1521 on the Security Groups page of the ECS console.
Open remote O&M ports of Alibaba Cloud services that support PostgreSQL database engines Port 5432 allows requests from all IP addresses. The associated Alibaba Cloud services that support PostgreSQL database engines may be cracked. We recommend that you deny the access of public IP addresses to port 5432 on the Security Groups page of the ECS console.
Open remote O&M ports of ApsaraDB for Redis databases Port 6379 allows requests from all IP addresses. The associated ApsaraDB for Redis databases may be cracked. We recommend that you deny the access of public IP addresses to port 6379 on the Security Groups page of the ECS console.
Open remote O&M ports of ApsaraDB RDS for SQL Server Port 1433 allows requests from all IP addresses. The associated ApsaraDB RDS for SQL Server may be cracked. We recommend that you deny the access of public IP addresses to port 1433 on the Security Groups page of the ECS console.
Open remote O&M ports of Spark clusters Port 6066 allows requests from all IP addresses. The associated Spark clusters may be cracked. We recommend that you deny the access of public IP addresses to port 6066 on the Security Groups page of the ECS console.
Open remote O&M ports of Splunk instances Ports 8089 and 8090 allow requests from all IP addresses. The associated Splunk instances may be cracked. We recommend that you deny the access of public IP addresses to ports 8089 and 8090 on the Security Groups page of the ECS console.
Open ports of security groups Security groups are configured to allow all IP addresses to access any ports. The associated servers may be cracked. We recommend that you configure security groups to allow requests from specific IP addresses.