Ensure that your security groups don't have range of ports opened for inbound traffic in order to protect your EC2 instances against denial-of-service (DoS) attacks or brute-force attacks. Cloud Conformity strongly recommends opening only specific ports within your security groups, based on your applications requirements.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Opening range of ports inside your EC2 security groups is not a good practice because it will allow attackers to use port scanners and other probing techniques to identify services running on your instances and exploit their vulnerabilities.
To determine if your EC2 security groups implement range of ports to allow inbound traffic, perform the following:
Remediation / Resolution
To implement specific ports instead of range of ports for your EC2 security groups, perform the following:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Security Group Port Range
Risk level: Medium