Ensure that your security groups don't have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks. Cloud Conformity strongly recommends opening only specific ports within your security groups, based on your applications requirements.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Opening range of ports inside your EC2 security groups is not a good practice because it will allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.
Audit
To determine if your EC2 security groups implement range of ports to allow inbound traffic, perform the following:
Remediation / Resolution
To implement specific ports instead of range of ports for your EC2 security groups, perform the following:
References
- AWS Documentation
- Amazon EC2 Security Groups for Linux Instances
- Authorizing Inbound Traffic for Your Linux Instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- authorize-security-group-ingress
- revoke-security-group-ingress
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Security Group Port Range
Risk level: Medium