Updated on 2025-08-25 GMT+08:00

Security Group Port Check

Rule Details

Table 1 Rule details

Parameter

Description

Rule Name

vpc-sg-ports-check

Identifier

Security Group Port Check

Description

If a security group allows all inbound traffic (Source: 0.0.0.0/0 or ::/0) and opens all TCP/UDP ports, this security group is non-compliant.

Tag

vpc

Trigger Type

Configuration change

Filter Type

vpc.securityGroups

Rule Parameters

None

Application Scenarios

0.0.0.0/0 indicates all IPv4 addresses, and ::/0 indicates all IPv6 addresses. If any IP address is allowed to access any port, the risk of being attacked is greatly increased.

You are advised to configure security group rules based on the principle of least privilege to avoid over-authorization.

Rule Logic

  • If a security group does not have the source address set to 0.0.0.0/0 or ::/0, or does not open all TCP/UDP ports, this security group is compliant.
  • If a security group has the source address set to 0.0.0.0/0 or ::/0 and opens all TCP/UDP ports, this security group is non-compliant.

A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.