Security groups should not allow unrestricted access to ports with high risk

Description

This rule verifies that security groups do not allow unrestricted traffic on ports:

  • 20, 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (SMTP)
  • 110 (POP3)
  • 135 (RPC)
  • 143 (IMAP)
  • 445 (CIFS)
  • 1433, 1434 (MSSQL)
  • 3000 (Go, Node.js, and Ruby web development frameworks)
  • 3306 (mySQL)
  • 3389 (RDP)
  • 4333 (ahsp)
  • 5000 (Python web development frameworks)
  • 5432 (postgresql)
  • 5500 (fcp-addr-srvr1)
  • 5601 (OpenSearch Dashboards)
  • 8080 (proxy)
  • 8088 (legacy HTTP port)
  • 8888 (alternative HTTP port)
  • 9200 or 9300 (OpenSearch)

Restricting access to these ports is a security best practice, and required by AWS Foundational Security Best Practices.

Note: This rule only looks at the security group and does not attempt to identify if it is attached to resources such as an EC2 instance. Consequently, the rule has a low severity.

Remediation

From the console

  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. On the left side menu, click Security Groups.
  4. Select the security group you would like to edit.