Security groups should not allow unrestricted access to ports with high risk

Description

This rule verifies that publicly accessible EC2 instances do not allow unrestricted traffic on ports:

  • 20, 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (SMTP)
  • 110 (POP3)
  • 135 (RPC)
  • 143 (IMAP)
  • 445 (CIFS)
  • 1433, 1434 (MSSQL)
  • 3000 (Go, Node.js, and Ruby web development frameworks)
  • 3306 (mySQL)
  • 3389 (RDP)
  • 4333 (ahsp)
  • 5000 (Python web development frameworks)
  • 5432 (postgresql)
  • 5500 (fcp-addr-srvr1)
  • 5601 (OpenSearch Dashboards)
  • 8080 (proxy)
  • 8088 (legacy HTTP port)
  • 8888 (alternative HTTP port)
  • 9200 or 9300 (OpenSearch)

Restricting access to these ports is a security best practice, and required by AWS Foundational Security Best Practices.

Remediation

From the console

  1. Log in to the AWS Management Console.
  2. Navigate to the EC2 dashboard.
  3. On the left side menu, click Security Groups.
  4. Select the security group you would like to edit.