Ensure Public Security Group Rule is Not Set To All Ports or Protocols

ip_protocol - (Required, ForceNew) The protocol. Can be tcp, udp, icmp, gre or all. port_range - (ForceNew) The range of port numbers relevant to the IP protocol. Default to "-1/-1". When the protocol is tcp or udp, each side port number range from 1 to 65535 and '-1/-1' will be invalid. For example, 1/200 means that the range of the port numbers is 1-200. Other protocols' 'port_range' can only be "-1/-1", and other values will be invalid. cidr_ip - (Optional, ForceNew) The target IP address range. The default value is 0.0.0.0/0 (which means no restriction will be applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.

Risk Level: medium
Platform: Alicloud
Spectral Rule ID: TFALCLD024

REMEDIATION

cidr_ip, ip_protocol and port_range should not allow all ports or all protocols to the public

- cidr_ip           = "0.0.0.0/0"
+ cidr_ip           = "10.159.6.18/12"

- ip_protocol       = "all"

Read more: