Publicly accessible EC2 instance should not have open administrative ports

ec2

Description

This rule verifies that publicly accessible EC2 instances don’t have opened administrative ports.

Rationale

An EC2 instance is publicly accessible if it exists within infrastructure that could provide an access route from the internet for an attacker.

An EC2 instance with an open administrative port is considered risky.

Remediation

You can use the AWS Reachability Analyzer to identify the path to your EC2 instance that is allowing it to be accessed via the internet. We recommend the following:

  • Do not open your instance security group to the Internet.
  • Do not assign your instance a public IP, this ensures that it is only accessible from within the VPC.

EC2 instances typically do not require an open administrative port. We recommend limiting the open ports attached to the instance.

References