vpc-sg-port-restriction-check - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

vpc-sg-port-restriction-check

Checks if security groups restrict incoming traffic to restricted ports explicitly from 0.0.0.0/0 or ::/0. The rule is NON_COMPLIANT if security groups allow incoming traffic from 0.0.0.0/0 or ::/0 over TCP/UDP ports 22/3389 or as specified in parameters.

Identifier: VPC_SG_PORT_RESTRICTION_CHECK

Resource Types: AWS::EC2::SecurityGroup

Trigger type: Periodic

Amazon Web Services Region: All supported Amazon regions

Parameters:

restrictPorts (Optional)
Type: CSV

Comma-separated list of ports that should not be open for incoming traffic over the full IP range. Valid port numbers range from 0 to 65535. If not specified, the rule defaults to check for 22 and 3389.

protocolType (Optional)
Type: String

The Transmission Protocol Type for the rule to check. Valid values include 'TCP', 'UDP', and 'ALL' (case-insensitive). If set to 'ALL', the rule will check for rules that use either 'TCP', 'UDP', or 'ALL' (-1) protocol. Default value is 'ALL'.

excludeExternalSecurityGroups (Optional)
Type: boolean

Boolean flag to exclude the evaluation of external security groups. If set to 'true', the rule will not include external security groups in the evaluation. Otherwise, all security groups are evaluated if value is set to 'false.' Default value is 'true'.

ipType (Optional)
Type: String

The Internet Protocol (IP) version for the rule to check. Valid values include 'IPv4', 'IPv6', and 'ALL' (case-insensitive). If not specified, the rule defaults to check for 'ALL'.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.