Security group restricts RDP access from the internet
ecs_securitygroup_restrict_rdp_internet
Alibaba Cloud ECS security groups provide stateful filtering of ingress and egress network traffic to cloud resources. This check verifies that no security group allows unrestricted ingress access to port 3389 (RDP) from the internet (0.0.0.0/0 or ::/0). Restricting RDP access to trusted IP addresses significantly reduces the attack surface of ECS instances.
Risk
Unrestricted RDP access from the internet (0.0.0.0/0) exposes systems to brute force attacks, credential stuffing, and exploitation of RDP vulnerabilities such as BlueKeep. This can lead to unauthorized access, data exfiltration, and full system compromise, impacting confidentiality, integrity, and availability.
prowler alibabacloud --checks ecs_securitygroup_restrict_rdp_internet
Recommendation
Restrict RDP (port 3389) access in security groups to only trusted IP addresses or CIDR blocks. Remove any rules allowing access from 0.0.0.0/0 or ::/0.
Remediation
aliyun ecs RevokeSecurityGroup --SecurityGroupId <security_group_id> --IpProtocol tcp --PortRange 3389/3389 --SourceCidrIp 0.0.0.0/0
- Log on to the ECS Console.
- In the left-side navigation pane, choose Network & Security > Security Groups.
- Find the target security group and click Add Rules.
- Locate the rule allowing port
3389from0.0.0.0/0. - Modify the Source IP range to a specific trusted IP or CIDR block.
- Click Save.
Source Code
Resource Type
ALIYUN::ECS::SecurityGroup