Ensure Public Security Group Rule is Not Use Sensitive Port

A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol. ip_protocol - (Required, ForceNew) The protocol. Can be tcp, udp, icmp, gre or all. port_range - (ForceNew) The range of port numbers relevant to the IP protocol. Default to "-1/-1". When the protocol is tcp or udp, each side port number range from 1 to 65535 and '-1/-1' will be invalid. For example, 1/200 means that the range of the port numbers is 1-200. Other protocols' 'port_range' can only be "-1/-1", and other values will be invalid. cidr_ip - (Optional, ForceNew) The target IP address range. The default value is 0.0.0.0/0 (which means no restriction will be applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.

Risk Level: medium
Platform: Alicloud
Spectral Rule ID: TFALCLD025

REMEDIATION

cidr_ip, ip_protocol and port_range should not allow all a sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol.

- port_range        = "19/20" # because port 20 (FTP) is open

Read more: