Ensure that your Amazon EC2 security groups don't have range of ports opened for inbound traffic in order to protect the associated EC2 instances against Denial-of-Service (DoS) attacks or brute-force attacks. Trend Cloud One™ – Conformity strongly recommends opening only specific ports within your security groups, based on your applications requirements.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Opening range of ports inside your Amazon EC2 security groups is not a good practice because it will allow attackers to use port scanners and other probing techniques to identify services and applications running on your EC2 instances and exploit their potential vulnerabilities.
Audit
To determine if your Amazon EC2 security groups implement range of ports in order to allow inbound traffic, perform the following actions:
Remediation / Resolution
To configure specific ports instead of range of ports for your Amazon EC2 security group rules, perform the following actions:
References
- AWS Documentation
- Amazon EC2 security groups for Linux instances
- Work with security groups
- Security group rules for different use cases
- Authorize inbound traffic for your Linux instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- revoke-security-group-ingress
- authorize-security-group-ingress
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider