Publicly accessible EC2 instance should not have open administrative ports
Description
This rule verifies that publicly accessible EC2 instances don’t have opened administrative ports.
Rationale
An EC2 instance is publicly accessible if it exists within infrastructure that could provide an access route from the internet for an attacker.
An EC2 instance with an open administrative port is considered risky.
You can use the AWS Reachability Analyzer to identify the path to your EC2 instance that is allowing it to be accessed via the internet. We recommend the following:
- Do not open your instance security group to the Internet.
- Do not assign your instance a public IP, this ensures that it is only accessible from within the VPC.
EC2 instances typically do not require an open administrative port. We recommend limiting the open ports attached to the instance.
References