VPC security groups attached to EC2 instances should not permit ingress from ‘’ to all ports


EC2 security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.

Remediation Steps

AWS Console

  • Navigate to EC2.

  • In the left navigation, select Security Groups.

  • Select the desired security group and click the Inbound tab.

  • Click Edit rules.

  • Remove any permissions that allow ‘’ to all ports.


  • Remove ingress rules which allow connectivity from anywhere to all ports and protocols:

    • aws ec2 revoke-security-group-ingress --group-id <id> --ip-permissions <ip_permissions>


  • Ensure that every aws_security_group ingress block associated with an EC2 instance does NOT contain the following:

    • A in the cidr_blocks field

    • from_port and to_port range from 0 to 65535, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_instance" "example" {
  vpc_security_group_ids  = [aws_security_group_example.id] # For EC2 instance in non-default VPC
  security_groups         = [aws_security_group_example.id] # For EC2 instance in default VPC
  # other required fields here

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = []
    from_port   = 0
    to_port     = 65535
    # other required fields here