EC2 instance does not allow ingress from the Internet to TCP port 5432 (PostgreSQL)
ec2_instance_port_postgresql_exposed_to_internet
EC2 instances with security group rules allowing inbound PostgreSQL on TCP 5432 from the Internet (0.0.0.0/0 or ::/0) are identified, considering the instance's public reachability via IP and subnet.
Risk
Exposed TCP 5432 enables unauthenticated Internet probes and brute-force attempts against PostgreSQL, risking database confidentiality, integrity, and availability. Attackers could dump data, alter schemas, create backdoor accounts, pivot within the VPC, or exploit unpatched flaws at scale.
prowler aws --checks ec2_instance_port_postgresql_exposed_to_internet
prowler aws --checks ec2_instance_port_postgresql_exposed_to_internet --fixer
Recommendation
Restrict PostgreSQL to trusted sources only:
- Remove
0.0.0.0/0and::/0rules - Apply least privilege security groups (allow from app tier or VPN)
- Place instances in private subnets without public IPs
- Enforce TLS and strong auth; disable unused listeners
- Layer with NACLs and monitoring for defense in depth
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 5432 --cidr 0.0.0.0/0
- In AWS Console, go to EC2 > Security Groups
- Select the group attached to the instance
- In Inbound rules, find any rule for PostgreSQL (TCP 5432) with source 0.0.0.0/0 or ::/0
- Delete the rule or change the source to a specific trusted CIDR only
- Save rules
Source Code
Resource Type
AwsEc2Instance