Security group does not have all ports open to the Internet
ec2_securitygroup_allow_ingress_from_internet_to_all_ports
EC2 security groups with inbound rules permitting Internet sources (0.0.0.0/0, ::/0) to all ports across any protocol
Risk
Opening every port to the Internet enables broad scanning and exploit attempts, leading to unauthorized access, remote code execution, and data exfiltration, with easier lateral movement into the VPC. Confidentiality, integrity, and availability are all at risk.
prowler aws --checks ec2_securitygroup_allow_ingress_from_internet_to_all_ports
Recommendation
Enforce least privilege on ingress: allow only required ports from trusted sources, avoid 0.0.0.0/0 and ::/0. Prefer private access (VPN, bastion, or Session Manager), use security group references, and layer defense in depth with network ACLs. Periodically review and remove unused rules.
Remediation
- In the AWS Console, go to EC2 > Security Groups
- Select the affected security group
- Open the Inbound rules tab and click Edit inbound rules
- Delete any rule where Type is All traffic (protocol = All) with Source 0.0.0.0/0 or ::/0
- Click Save rules
Source Code
Resource Type
AwsEc2SecurityGroup