EC2 instance does not allow ingress from the Internet to TCP port 3389 (RDP)
ec2_instance_port_rdp_exposed_to_internet
EC2 instances whose security groups allow Internet-wide inbound RDP on TCP 3389 (0.0.0.0/0 or ::/0). The instance's public IP and subnet routing are considered to determine external reachability.
Risk
Internet-exposed RDP allows:
- Brute force and credential reuse on Windows logons
- Exploitation of RDP flaws for remote code execution
- Lateral movement and data exfiltration This threatens confidentiality, integrity, and availability through data theft, tampering, account lockouts, or ransomware.
Run this check with Prowler CLI
prowler aws --checks ec2_instance_port_rdp_exposed_to_internet
Fix finding with Prowler CLI
prowler aws --checks ec2_instance_port_rdp_exposed_to_internet --fixer
Recommendation
Remove Internet-wide RDP. Apply least privilege:
- Restrict
TCP 3389to trusted IPs - Prefer private access via VPN or a hardened bastion; consider Session Manager
- Use just-in-time access and short-lived rules
- Enforce strong auth (e.g., NLA) and monitor logs Adopt defense in depth with layered network controls.
Remediation
CLI
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 3389 --cidr 0.0.0.0/0
Native IaC
Terraform
Other
- In AWS Console, go to EC2 > Security Groups
- Open each security group attached to the affected instance
- In Inbound rules, find any rule allowing TCP 3389 from 0.0.0.0/0 or ::/0
- Delete the rule, or edit Source to a specific trusted IP/CIDR only
- Click Save rules
Source Code
Resource Type
AwsEc2Instance
References
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
- https://support.icompaas.com/support/solutions/articles/62000233789-ensure-no-ec2-instances-allow-ingress-from-the-internet-to-tcp-port-3389-rdp-
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/EC2/unrestricted-rdp-access.html