πΌ [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
Contextual name: πΌ [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
-
ID:
/frameworks/aws-fsbp-v1.0.0/ec2/18 -
Located in: πΌ Elastic Compute Cloud (EC2)
Descriptionβ
Security groups provide stateful filtering of ingress and egress network traffic to AWS. Security group rules should follow the principal of least privileged access. Unrestricted access (IP address with a /0 suffix) increases the opportunity for malicious activity such as hacking, denial-of-service attacks, and loss of data. Unless a port is specifically allowed, the port should deny unrestricted access.
Similarβ
- AWS Security Hub
- Internal
- ID:
dec-c-6d0673bc
- ID:
Similar Sections (Give Policies To)β
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-4 Information Flow Enforcement | 32 | 61 | 73 | |
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows | 35 | 39 | ||
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-7 Boundary Protection | 29 | 5 | 33 | |
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-7(4) Boundary Protection _ External Telecommunications Services | 17 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-7(5) Boundary Protection _ Deny by Default β Allow by Exception | 5 | 19 | ||
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic | 15 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-7(16) Boundary Protection _ Prevent Discovery of System Components | 16 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ SC-7(21) Boundary Protection _ Isolation of System Components | 16 |
Sub Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|