Security groups should not allow unrestricted access to ports with high risk
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
This rule verifies that security groups do not allow unrestricted traffic on ports:
- 20, 21 (FTP)
- 22 (SSH)
- 23 (Telnet)
- 25 (SMTP)
- 110 (POP3)
- 135 (RPC)
- 143 (IMAP)
- 445 (CIFS)
- 1433, 1434 (MSSQL)
- 3000 (Go, Node.js, and Ruby web development frameworks)
- 3306 (mySQL)
- 3389 (RDP)
- 4333 (ahsp)
- 5000 (Python web development frameworks)
- 5432 (postgresql)
- 5500 (fcp-addr-srvr1)
- 5601 (OpenSearch Dashboards)
- 8080 (proxy)
- 8088 (legacy HTTP port)
- 8888 (alternative HTTP port)
- 9200 or 9300 (OpenSearch)
Restricting access to these ports is a security best practice, and required by AWS Foundational Security Best Practices.
Note: This rule only looks at the security group and does not attempt to identify if it is attached to resources such as an EC2 instance. Consequently, the rule has a low severity.
From the console
- Log in to the AWS Management Console.
- Navigate to the EC2 dashboard.
- On the left side menu, click
Security Groups
. - Select the security group you would like to edit.