Checks whether the number of ECS instances that are added to each security group is greater than 0. If so, the configuration is considered compliant.
Scenarios
You must delete idle security groups on a regular basis. This helps prevent resource waste and reduces management costs.
Risk level
Default risk level: medium.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If the number of ECS instances that are added to each security group is greater than 0, the configuration is considered compliant.
- If the number of ECS instances that are added to each security group is equal to 0, the configuration is considered incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.
Rule details
| Item | Description |
| Rule name | ecs-security-group-not-used |
| Rule identifier | ecs-security-group-not-used |
| Tag | ECS and SecurityGroup |
| Automatic remediation | Not supported |
| Trigger type | Configuration change |
| Supported resource type | ECS security group |
| Input parameter | None. |
Incompliance remediation
Add an ECS instance to a security group. For more information, see Associate security groups with an instance (primary ENI).