ECS Instance Should Not Bind Public IP or Allow Any IP Access
ID: rule:aliyun:ecs-instance-no-public-and-anyip
Severity: medium
Description
ECS instances should not directly bind IPv4 public IPs or Elastic IPs, and associated security groups should not expose 0.0.0.0/0. Compliant when no public IP is bound.
Reason for Violation
ECS instance has public IP allocation enabled or uses unrestricted internet bandwidth
Recommendation
Disable public IP allocation (AllocatePublicIP=false) and set InternetMaxBandwidthOut to 0. Use NAT Gateway or SLB for internet access instead.
Resource Types
ALIYUN::ECS::InstanceALIYUN::ECS::InstanceGroup