EC2 instance does not allow ingress from the Internet to TCP port 23 (Telnet)
ec2_instance_port_telnet_exposed_to_internet
EC2 instances with security groups allowing inbound Telnet on TCP 23 from the Internet are identified, including open IPv4/IPv6 sources like 0.0.0.0/0 and ::/0.
Exposure is evaluated considering public IP assignment and subnet reachability.
Risk
Exposed Telnet weakens confidentiality and integrity: credentials and commands are plaintext, enabling interception and session hijacking. Attackers can brute-force to gain shell, run remote commands, exfiltrate data, and pivot laterally, also threatening availability through misuse or takeover.
prowler aws --checks ec2_instance_port_telnet_exposed_to_internet
prowler aws --checks ec2_instance_port_telnet_exposed_to_internet --fixer
Recommendation
Eliminate Telnet: disable the service and block TCP 23.
Apply least privilege network access-restrict admin connectivity via SSH through bastion or VPN, keep management paths private, and segregate hosts. Use defense in depth with monitoring and strong authentication for any legacy needs.
Remediation
aws ec2 revoke-security-group-ingress --group-id <SECURITY_GROUP_ID> --protocol tcp --port 23 --cidr 0.0.0.0/0
- In the AWS Console, go to EC2 > Security Groups
- Select the security group attached to the affected instance
- Open the Inbound rules tab and find any rule allowing TCP port 23 from 0.0.0.0/0 or ::/0
- Delete the rule, or edit it to a specific trusted CIDR only
- Click Save rules
Source Code
Resource Type
AwsEc2Instance