EC2 instance does not allow ingress from the Internet to TCP port 22 (SSH)
ec2_instance_port_ssh_exposed_to_internet
EC2 instances with SSH (TCP 22) exposed to the Internet via security group inbound rules allowing 0.0.0.0/0 or ::/0.
Exposure is qualified using the instance's public IP status and subnet reachability.
Risk
Internet-exposed SSH invites brute force and credential stuffing. A successful sign-in grants remote shell, enabling data exfiltration, tampering of workloads, and lateral movement within the VPC, degrading confidentiality, integrity, and availability.
prowler aws --checks ec2_instance_port_ssh_exposed_to_internet
prowler aws --checks ec2_instance_port_ssh_exposed_to_internet --fixer
Recommendation
Apply least privilege on SSH:
- Restrict ingress to trusted IPs; avoid
0.0.0.0/0and::/0 - Prefer Session Manager or a hardened bastion behind VPN
- Use key-based auth; disable passwords
- Add defense in depth with network controls and monitor access logs
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --ip-permissions '[{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]},{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"Ipv6Ranges":[{"CidrIpv6":"::/0"}]}]'
- Open the Amazon EC2 console and go to Security Groups
- Select the security group attached to the instance
- Click Inbound rules > Edit inbound rules
- Delete any rule allowing SSH (port 22) from 0.0.0.0/0 or ::/0
- Save rules
Source Code
Resource Type
AwsEc2Instance