Checks whether the inbound access configuration of a security group is valid.

Scenario

Security groups act as virtual firewalls to provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. You can configure security group rules to control the inbound and outbound traffic of Elastic Compute Service (ECS) instances in security groups.

Risk level

Default risk level: high.

You can change the risk level as required when you apply this rule.

Compliance evaluation logic

  • If the port range -1/-1 and the CIDR block 0.0.0.0/0 are not specified at the same time in a security group rule that allows inbound access, the configuration is considered compliant.
  • If the port range -1/-1 and the CIDR block 0.0.0.0/0 are specified at the same time in a security group rule that allows inbound access, the configuration is considered non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.

Rule details

Item Description
Rule name sg-public-access-check
Rule ID sg-public-access-check
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter None

Non-compliance remediation

Modify security group rules. For more information, see Modify security group rules.