Inbound Traffic Is Allowed on Specified Ports Only

Rule Details

Application Scenarios

0.0.0.0/0 indicates all IPv4 addresses, and ::/0 indicates all IPv6 addresses. If any IP address is allowed to access the high-risk ports you specified, the risk of being attacked is greatly increased.

• If the database service ports (for example, port 3306 of MySQL) allow access from 0.0.0.0/0 or ::/0, unauthorized users may access sensitive data.
• If the management ports (for example, port 22 of SSH and port 3389 of RDP) allow access from 0.0.0.0/0 or ::/0, the server may be intruded.

You are advised to configure security group rules based on the principle of least privilege to avoid over-authorization.

Solution

Modify a security group rule.

Rule Logic

• If a security group does not allow all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is compliant.
• If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is non-compliant.

• If the source address of a security group rule is a security group, the traffic from the source security group will not be checked and is trusted.
• If the source address of a security group rule is an IP address group, the IP addresses configured for the IP address group will not be checked, because the IP address group cannot contain all IP addresses.
• A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.