Lightsail instance has no publicly accessible ports
lightsail_instance_public
Lightsail instances that have a public IP and at least one firewall rule allowing public ports are treated as publicly exposed. The evaluation inspects instance addressing and port rules to detect any port or range marked public.
Risk
Public IP plus open ports enables Internet scanning, brute force, and exploits.
- Confidentiality: data exfiltration
- Integrity: RCE/admin takeover via exposed services
- Availability: DoS or abuse (botnets, cryptomining), service disruption
prowler aws --checks lightsail_instance_public
Recommendation
Apply least privilege network access: close unused ports, restrict sources (avoid 0.0.0.0/0), and review IPv4/IPv6 rules. Use a VPN or bastion host for administration. Place services behind private networking or load balancers, and harden/monitor any required public endpoints.
Remediation
aws lightsail put-instance-public-ports --instance-name <example_resource_name> --port-infos '[]'
- Sign in to the AWS Lightsail console
- Go to Instances and select <example_resource_name>
- Open the Networking tab
- In IPv4 Firewall, delete all existing rules, then Save
- If IPv6 is enabled, in IPv6 Firewall, delete all existing rules, then Save
Source Code
Resource Type
Other