A Security Group Should Connect to At Least One Elastic Network Interface
Rule Details
Parameter |
Description |
---|---|
Rule Name |
vpc-sg-attached-ports |
Identifier |
A Security Group Should Connect to At Least One Elastic Network Interface |
Description |
If a custom security group is not attached to any elastic network interface, this security group is non-compliant. |
Tag |
vpc |
Trigger Type |
Configuration change |
Filter Type |
vpc.securityGroups |
Rule Parameters |
None |
Application Scenarios
An elastic network interface is a virtual network card. You can create and configure elastic network interfaces and attach them to your instances (ECSs and BMSs) to obtain flexible and highly available network configurations. For details, see Elastic Network Interface Overview.
Security group rules take effect after being associated with elastic network interfaces. If no elastic network interface is associated, the security group rules cannot filter and control the traffic for instances. As a result, sensitive data may be disclosed or unauthorized access may occur.

You are not advised to add an instance to the default security group. Therefore, this policy does not check the default security group.
Solution
Change security groups that are associated with a network interface. If a security group is no longer used, delete it. For details, see Deleting a Security Group.
Rule Logic
- If a custom VPC security group is not attached to an elastic network interface, the check result is non-compliant.
- If all custom VPC security groups are attached to elastic network interfaces, the check result is compliant.
- If the VPC security group is the default security group, the check result is compliant.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot