Checks whether the Port Range parameter of an inbound rule in a security group is set to All when the Action parameter of the inbound rule is set to Allow. If not, the evaluation is Compliant. Checks whether the Port Range parameter of the inbound rule is set to All but the access from all ports is denied by an inbound rule with a higher priority. If so, the evaluation result is Compliant.

Scenarios

This rule applies when you need to configure a rule for a security group based on the principle of least privilege (PoLP). This helps you reduce network exposure and ensure the network security of cloud environments.

Risk level

Default risk level: high.

When you apply this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If the Port Range parameter of an inbound rule in a security group is not set to All when the Action parameter of the inbound rule is set to Allow, the evaluation result is Compliant. If the Port Range parameter of the inbound rule is set to All but the access from all ports is denied by an inbound rule with a higher priority, the evaluation result is also Compliant.
  • If the Port Range parameter of the inbound rule is set to All but the access from all ports is not denied by an inbound rule with a higher priority, the evaluation result is Incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
  • This rule applies only to Elastic Compute Service (ECS). This rule does not apply to other Alibaba Cloud services, such as Cloud Firewall (CFW) and NAT Gateway, or security groups that are used by virtual network operators (VNOs).
    Note Security groups that are created by using Alibaba Cloud services except ECS in managed mode are called managed security groups. For more information about managed security groups, see Managed security groups.

Rule details

ItemDescription
Rule nameecs-security-group-not-open-all-port
Rule identifierecs-security-group-not-open-all-port
TagSecurityGroup
Automatic remediationNot supported
Trigger typeConfiguration change
Supported resource typeECS security group
Input parameterNone.

Incompliance remediation

Modify a security group rule. For more information, see Modify a security group rule.