Non-whitelisted Ports Must Be Disabled in a Security Group
Rule Details
|
Parameter |
Description |
|---|---|
|
Rule Name |
vpc-sg-by-white-list-ports-check |
|
Identifier |
Non-whitelisted Ports Must Be Disabled in a Security Group |
|
Description |
If a security group allows traffic to a non-whitelisted port, this security group is non-compliant. |
|
Tag |
vpc |
|
Trigger Type |
Configuration change |
|
Filter Type |
vpc.securityGroups |
|
Rule Parameters |
whiteListPorts: whitelisted ports |
Application Scenarios
Checking security group ports is critical to public cloud security management. The core purpose is to ensure the security and controllability of network traffic. Open ports are the main entry for external attacks. For example, exposing unnecessary ports (such as unencrypted HTTP port 80 and default database ports 3306/27017) can lead to hacker scans and intrusions.
Solution
Modify security group rules to prevent unnecessary ports from being exposed.
Rule Logic
- If a security group denies both inbound and outbound traffic to all non-whitelisted ports, this security group is compliant.
- If a security group allows traffic to any non-whitelisted port, this security group is non-compliant.
A security group typically contains multiple rules, and these rules follow a certain order to take effect. For details, see How Traffic Matches Security Group Rules. This Config rule bypasses all Deny rules in security groups, and only focuses on the traffic that you may allow.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
