Security groups should not allow unrestricted access to ports with high risk

ec2
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This rule verifies that security groups do not allow unrestricted traffic on ports:

  • 20, 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (SMTP)
  • 110 (POP3)
  • 135 (RPC)
  • 143 (IMAP)
  • 445 (CIFS)
  • 1433, 1434 (MSSQL)
  • 3000 (Go, Node.js, and Ruby web development frameworks)
  • 3306 (mySQL)
  • 3389 (RDP)
  • 4333 (ahsp)
  • 5000 (Python web development frameworks)
  • 5432 (postgresql)
  • 5500 (fcp-addr-srvr1)
  • 5601 (OpenSearch Dashboards)
  • 8080 (proxy)
  • 8088 (legacy HTTP port)
  • 8888 (alternative HTTP port)
  • 9200 or 9300 (OpenSearch)

Restricting access to these ports is a security best practice, and required by AWS Foundational Security Best Practices.

Note: This rule only looks at the security group and does not attempt to identify if it is attached to resources such as an EC2 instance. Consequently, the rule has a low severity.

Remediation

From the console

  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. On the left side menu, click Security Groups.
  4. Select the security group you would like to edit.
PREVIEWING: brett.blue/embedded-collector-release