💼 [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
Contextual name: 💼 [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
ID:
/frameworks/aws-fsbp-v1.0.0/ec2/18 -
Located in: 💼 Elastic Compute Cloud (EC2)
Description​
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data. Unless a port is specifically allowed, the port should deny unrestricted access.
Similar​
- AWS Security Hub
- Internal
- ID:
dec-c-6d0673bc
- ID:
Similar Sections (Give Policies To)​
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement | 32 | 68 | 89 | |
| 💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows | 37 | 46 | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection | 29 | 4 | 50 | |
| 💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services | 28 | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SC-7(5) Boundary Protection _ Deny by Default — Allow by Exception | 4 | 18 | ||
| 💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic | 22 | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components | 23 | |||
| 💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components | 22 |
Sub Sections​
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|