Security Group Ingress Source IP Not Include Public IP

ID: rule:aliyun:ecs-security-group-not-internet-cidr-access
Severity: high

Description

Security group ingress rules with accept policy should not have source IP containing public internet IPs.

Reason for Violation

The security group has an ingress rule that allows access from public internet IP addresses, which may expose the resources to external attacks.

Recommendation

Restrict ingress source IP to private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) unless public internet access is explicitly required.

Resource Types

ALIYUN::ECS::SecurityGroup
ALIYUN::ECS::SecurityGroupIngress
ALIYUN::ECS::SecurityGroupIngresses

Description​

Reason for Violation​

Recommendation​

Resource Types​

Description

Reason for Violation

Recommendation

Resource Types