Help Center/ Config/ User Guide/ Resource Compliance/ Built-In Policies/ Virtual Private Cloud/ Non-whitelisted Ports Must Be Disabled in a Security Group
Updated on 2025-08-25 GMT+08:00

Non-whitelisted Ports Must Be Disabled in a Security Group

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

vpc-sg-by-white-list-ports-check

Identifier

Non-whitelisted Ports Must Be Disabled in a Security Group

Description

If a security group allows traffic to a non-whitelisted port, this security group is non-compliant.

Tag

vpc

Trigger Type

Configuration change

Filter Type

vpc.securityGroups

Rule Parameters

whiteListPorts: whitelisted ports

Application Scenarios

Checking security group ports is critical to public cloud security management. The core purpose is to ensure the security and controllability of network traffic. Open ports are the main entry for external attacks. For example, exposing unnecessary ports (such as unencrypted HTTP port 80 and default database ports 3306/27017) can lead to hacker scans and intrusions.

Solution

Modify security group rules to prevent unnecessary ports from being exposed.

Rule Logic

  • If a security group denies both inbound and outbound traffic to all non-whitelisted ports, this security group is compliant.
  • If a security group allows traffic to any non-whitelisted port, this security group is non-compliant.

A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.