All Products
Search

This Product

    Elastic Compute Service:Restrict source IP addresses for instance O&M ports

    Document Center

    Elastic Compute Service:Restrict source IP addresses for instance O&M ports

    Last Updated:Oct 24, 2025

    When you create an instance, do not allow access from all source IP addresses to the O&M ports in its security group. You should open only the necessary ports and restrict access to specified IP addresses.

    Security risks

    O&M ports for an Elastic Compute Service (ECS) instance, such as Secure Shell (SSH) port 22 for Linux and Remote Desktop Protocol (RDP) port 3389 for Windows, are the gateways for administrators to remotely manage servers. If you set the access permissions for these ports to all IP addresses (0.0.0.0/0) in a security group, you expose this gateway to the entire Internet:

    • Brute-force attacks: Attackers can use automated tools to continuously try common username and password combinations to log on to your server. If successful, they obtain full control of your server.

    • Data breach and tampering: Intruders can steal or modify core business data on your server. This can cause direct business loss.

    • Malware infection: The server can be used as part of a botnet (zombie) to launch DDoS attacks, perform mining, or act as a springboard for attacking other networks.

    Best practices

    Use security groups to open only necessary ports and restrict access to specified source IP addresses.

    Console

    1. Create a security group with inbound rules that do not allow access to O&M ports from all IP addresses (0.0.0.0/0).

    2. When you create an instance on the instance purchase page, select the security group that you created.

    API

    1. Call the CreateSecurityGroup API operation to create a new security group, and then call the AuthorizeSecurityGroup API operation to add the necessary inbound rules. You can specify the SourceCidrIp parameter to restrict the source IP address.

    2. When you call the RunInstances or CreateInstance API operation to create an instance, specify the SecurityGroupId parameter to add the instance to a security group.

    Compliance capabilities

    Check: Find security groups that open O&M ports to all IP addresses

    ECS Insight

    1. Go to ECS Insight.

    2. Click the Security tab. Then, click the check item Unrestricted Access to Specific Security Group Ports to view instances that allow access from any IP address (0.0.0.0/0) to specific ports.

    Security Center

    1. Go to the Security Center console.

    2. In the navigation pane on the left, choose Risk Administration > Cloud Security Posture Management. Select the Cloud Product Configuration Risks tab. Find the Prohibit Access from Any IP Address to Port 22 and Port 3389 check item, and then click the Scan button in the Actions column.

      If the status is Failed, this indicates that there are instances that allow access from any IP address to port 22 or 3389. You can click Details to view them.

    Block: Prohibit instance creation operations that allow access from any IP address to O&M ports

    Use a RAM policy at the organization or account level to block security group rules that allow access from any IP address.

    • For enterprise users:

      1. Log on to the Resource Directory console using an Alibaba Cloud account. In the left-side menu bar, click Control Policies. Then, create a custom policy and paste the following JSON content.

        This policy denies operations that create instances or that create or modify security groups that allow access from any IP address.

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ecs:AuthorizeSecurityGroup",
        "ecs:ConfigureSecurityGroupPermissions",
        "ecs:ModifySecurityGroupRule"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ecs:SecurityGroupIpProtocols": [
            "TCP"
          ]
        },
        "CIDRInRange": {
          "ecs:SecurityGroupSourceCidrIps": [
            "0.0.0.0/0"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": [
        "ecs:CreateInstance",
        "ecs:RunInstances"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ecs:NotSpecifySecureGroupId": [
            "true"
          ]
        }
      }
    }
  ]
}

      2. In your resource directory, select a suitable node and attach the policy. The policy then blocks these operations for all accounts under that node.

    • For non-enterprise users:

      1. Log on to the RAM console using your Alibaba Cloud account. In the navigation pane on the left, click Policies. Then, create a custom policy with the same content as described in the previous section.

      2. Grant the access policy to a RAM user, RAM user group, or RAM role. For more information, see Managing authorization for access policies.

    Remediate: Modify security group rules

    Modify existing security group rules. Change the authorization object from 0.0.0.0/0 to a specific, trusted IP address range.

    1. Locate insecure rules: Use the methods described in the Check section to find security groups and rules that pose a threat.

    2. Modify the rules:

      1. Go to the ECS console - Security Groups page. Find the target security group and click Manage Rules in the Operation column.

      2. Find the relevant rule, such as a rule for port 22 that uses 0.0.0.0/0 as the authorization object. Click Modify. Update the authorization object to a trusted source IP address and click Save.

    Important

    When you use Alibaba Cloud Workbench for remote connections to an instance, configure the security group Inbound rules as shown in the following table.

    Authorization Policy

    Priority

    Protocol Type

    Port Range

    Authorization Object

    Allow

    1

    Custom TCP

    • For Linux instances, port 22 is open by default: Select SSH (22).

    • For Windows instances, port 3389 is open by default: Select RDP (3389).

    • If you have manually opened other ports, enter the port range.

    • If you connect using the public IP address of the instance (including static public IP addresses and EIPs): add 161.117.0.0/16.

    • If you connect through the instance's private IP address in a VPC: Add 100.104.0.0/16.

    For security and stability, we recommend that you do not expose O&M ports to public IP addresses, such as office network egress IPs. Instead, allow access from internal IP addresses in your VPC. For more information, see Security group application guide and examples.