Security groups should not allow unrestricted access to ports with high risk

ec2
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

This rule verifies that security groups do not allow unrestricted traffic on ports:

  • 20, 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (SMTP)
  • 110 (POP3)
  • 135 (RPC)
  • 143 (IMAP)
  • 445 (CIFS)
  • 1433, 1434 (MSSQL)
  • 3000 (Go, Node.js, and Ruby web development frameworks)
  • 3306 (mySQL)
  • 3389 (RDP)
  • 4333 (ahsp)
  • 5000 (Python web development frameworks)
  • 5432 (postgresql)
  • 5500 (fcp-addr-srvr1)
  • 5601 (OpenSearch Dashboards)
  • 8080 (proxy)
  • 8088 (legacy HTTP port)
  • 8888 (alternative HTTP port)
  • 9200 or 9300 (OpenSearch)

Restricting access to these ports is a security best practice, and required by AWS Foundational Security Best Practices.

Note: This rule only looks at the security group and does not attempt to identify if it is attached to resources such as an EC2 instance. Consequently, the rule has a low severity.

Remediation

From the console

  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. On the left side menu, click Security Groups.
  4. Select the security group you would like to edit.