Check your EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) to TCP port 25 and restrict access to only those IP addresses that require it in order to implement the principle of least privilege and reduce the possibility of a breach. TCP port 25 is used by SMTP (Simple Mail Transfer Protocol) servers for electronic mail (email) transmission: https://goo.gl/bnjFP.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unrestricted SMTP access can increase opportunities for malicious activity such as hacking, spamming, Shellshock attacks and Denial-of-Service (DoS) attacks.
Audit
To determine if your EC2 security groups allow unrestricted SMTP access, perform the following:
Remediation / Resolution
To update your security groups inbound/ingress configuration in order to restrict SMTP access to specific entities (IP addresses, IP ranges, etc), perform the following:
References
- AWS Documentation
- Amazon EC2 Security Groups for Linux Instances
- Security Groups for Your VPC
- Authorizing Inbound Traffic for Your Linux Instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- revoke-security-group-ingress
- authorize-security-group-ingress
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Unrestricted SMTP Access
Risk level: Medium