Inbound Traffic Is Allowed on SSH Ports Only
Rule Details
Parameter |
Description |
---|---|
Rule Name |
vpc-sg-restricted-ssh |
Identifier |
Inbound Traffic Is Allowed on SSH Ports Only |
Description |
If a security group allows all inbound traffic (with the source address set to 0.0.0.0/0 or ::/0) and opens the TCP 22 port, this security group is non-compliant. |
Tag |
vpc |
Trigger Type |
Configuration change |
Filter Type |
vpc.securityGroups |
Rule Parameters |
None |
Application Scenarios
Port 22 is the default port for Secure Shell (SSH) and is used for remote login and server management.
0.0.0.0/0 indicates all IPv4 addresses, and ::/0 indicates all IPv6 addresses. Restricting access to port 22 from any IP address can significantly reduce the exposure of your server and the possibility of being scanned and attacked.
Solution
Rule Logic
- If a security group does not allow all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the TCP port 22, this security group is compliant.
- If a security group allows all IPv4 and IPv6 traffic (with the source address set to 0.0.0.0/0 or ::/0) to the TCP port 22, this security group is non-compliant.

- If the source address of a security group rule is a security group, the traffic from the source security group will not be checked and is trusted.
- If the source address of a security group rule is an IP address group, the IP addresses configured for the IP address group will not be checked, because the IP address group cannot contain all IP addresses.
- A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot