vpc-sg-open-only-to-authorized-ports
Checks if security groups allowing unrestricted incoming traffic ('0.0.0.0/0' or '::/0') only allow inbound TCP or UDP connections on authorized ports. The rule is NON_COMPLIANT if such security groups do not have ports specified in the rule parameters.
Note
This rule evaluates Amazon EC2 security groups with ingress rule set to IPv4='0.0.0.0/0' or IPv6='::/'.
If the security group does not have one of those destinations, this rule returns NOT_APPLICABLE
.
Identifier: VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS
Resource Types: AWS::EC2::SecurityGroup
Trigger type: Configuration changes and Periodic
Amazon Web Services Region: All supported Amazon regions except Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv) Region
Parameters:
- authorizedTcpPorts (Optional)
- Type: String
-
Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0 or ::/0. Ranges are defined by dash, for example, "443,1020-1025".
- authorizedUdpPorts (Optional)
- Type: String
-
Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0 or ::/0. Ranges are defined by dash, for example, "500,1020-1025".
Amazon CloudFormation template
To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.