EC2 instance does not allow ingress from the Internet to TCP ports 1521, 2483, or 2484 (Oracle)
ec2_instance_port_oracle_exposed_to_internet
EC2 instances with security groups allowing inbound TCP from any address to Oracle listener ports 1521, 2483, or 2484
Risk
Exposed Oracle listener ports enable SID enumeration, credential brute force, and TNS abuse. A successful intrusion can grant database access, causing data exfiltration (C), unauthorized changes (I), and outages via exploits or DoS (A). Internet scanning quickly finds these endpoints, enlarging the attack surface.
prowler aws --checks ec2_instance_port_oracle_exposed_to_internet
prowler aws --checks ec2_instance_port_oracle_exposed_to_internet --fixer
Recommendation
Restrict Oracle ports to trusted sources; remove 0.0.0.0/0 and ::/0. Place databases in private subnets without public IPs. Use VPN/Direct Connect or bastions for access. Enable TLS on 2484, strong auth, and apply least privilege rules with defense in depth using NACLs and monitoring.
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 1521 --cidr 0.0.0.0/0
- In the AWS Console, go to EC2 > Security Groups
- Select the security group attached to the instance
- Open the Inbound rules tab and click Edit inbound rules
- For TCP ports 1521, 2483, and 2484, delete any rule with Source 0.0.0.0/0 or ::/0
- If access is required, change the Source to a specific trusted CIDR only
- Click Save rules
Source Code
Resource Type
AwsEc2Instance