vpc-sg-open-only-to-authorized-ports - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Checks if security groups allowing unrestricted incoming traffic ('' or '::/0') only allow inbound TCP or UDP connections on authorized ports. The rule is NON_COMPLIANT if such security groups do not have ports specified in the rule parameters.


This rule evaluates Amazon EC2 security groups with ingress rule set to IPv4='' or IPv6='::/'. If the security group does not have one of those destinations, this rule returns NOT_APPLICABLE.


Resource Types: AWS::EC2::SecurityGroup

Trigger type: Configuration changes and Periodic

Amazon Web Services Region: All supported Amazon regions except Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv) Region


authorizedTcpPorts (Optional)
Type: String

Comma-separated list of TCP ports authorized to be open to or ::/0. Ranges are defined by dash, for example, "443,1020-1025".

authorizedUdpPorts (Optional)
Type: String

Comma-separated list of UDP ports authorized to be open to or ::/0. Ranges are defined by dash, for example, "500,1020-1025".

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.