Inbound Traffic Is Allowed on Specified Ports Only
Rule Details
Parameter |
Description |
---|---|
Rule Name |
vpc-sg-restricted-common-ports |
Identifier |
Inbound Traffic Is Allowed on Specified Ports Only |
Description |
If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is non-compliant. |
Tag |
vpc |
Trigger Type |
Configuration change |
Filter Type |
vpc.securityGroups |
Rule Parameters |
blockedPorts: indicates the list of ports to be restricted. This is an array type parameter. The default value is 20, 21, 3306, and 3389.
|
Application Scenarios
0.0.0.0/0 indicates all IPv4 addresses, and ::/0 indicates all IPv6 addresses. If any IP address is allowed to access the high-risk ports you specified, the risk of being attacked is greatly increased.
- If the database service ports (for example, port 3306 of MySQL) allow access from 0.0.0.0/0 or ::/0, unauthorized users may access sensitive data.
- If the management ports (for example, port 22 of SSH and port 3389 of RDP) allow access from 0.0.0.0/0 or ::/0, the server may be intruded.
You are advised to configure security group rules based on the principle of least privilege to avoid over-authorization.
Solution
Rule Logic
- If a security group does not allow all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is compliant.
- If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the specified ports, this security group is non-compliant.

- If the source address of a security group rule is a security group, the traffic from the source security group will not be checked and is trusted.
- If the source address of a security group rule is an IP address group, the IP addresses configured for the IP address group will not be checked, because the IP address group cannot contain all IP addresses.
- A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot