Ensure Public Security Group Rule is Known Port
A sensitive port, such as port 24 or port 111, is open to the public in either TCP or UDP protocol. ip_protocol - (Required, ForceNew) The protocol. Can be tcp, udp, icmp, gre or all. port_range - (ForceNew) The range of port numbers relevant to the IP protocol. Default to "-1/-1". When the protocol is tcp or udp, each side port number range from 1 to 65535 and '-1/-1' will be invalid. For example, 1/200 means that the range of the port numbers is 1-200. Other protocols' 'port_range' can only be "-1/-1", and other values will be invalid. cidr_ip - (Optional, ForceNew) The target IP address range. The default value is 0.0.0.0/0 (which means no restriction will be applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Risk Level: medium
Platform: Alicloud
Spectral Rule ID: TFALCLD039
REMEDIATION
cidr_ip
, ip_protocol
and port_range
should not allow all a sensitive port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned
- cidr_ip = "0.0.0.0/0"
+ cidr_ip = "10.159.6.18/12"
Read more:
Updated over 1 year ago