Checks whether the inbound Classless Inter-Domain Routing (CIDR) block of a security group is not set to 0.0.0.0/0, or the inbound CIDR block of a security group is set to 0.0.0.0/0 but specified high-risk ports are disabled. If the inbound CIDR block of a security group is not set to 0.0.0.0/0, or the inbound CIDR block of a security group is set to 0.0.0.0/0 but specified high-risk ports are disabled, the configuration is considered compliant.

Scenarios

You must disable all high-risk ports when you allow access to an Elastic Compute Service (ECS) instance from all CIDR blocks over the Internet. This ensures the network security of your system.

Risk level

Default risk level: high.

When you configure this rule, you can change the risk level based on your business requirements.

Compliance evaluation logic

  • If the inbound CIDR block of a security group is not set to 0.0.0.0/0, the configuration is considered compliant.
  • If the inbound CIDR block of the security group is set to 0.0.0.0/0 but the specified high-risk ports are disabled, the configuration is also considered compliant.
  • If the inbound CIDR block of the security group is set to 0.0.0.0/0 and the specified high-risk ports are enabled, the configuration is considered incompliant. For more information about how to remediate an incompliant configuration, see Incompliance remediation.

Rule details

Item Description
Rule name sg-risky-ports-check
Rule identifier sg-risky-ports-check
Tag SecurityGroup
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type ECS security group
Input parameter ports
Note Separate multiple ports with commas (,).

Incompliance remediation

Modify security group rules. For more information, see Modify security group rules.