- Product Introduction
- Supported Resource Types
- Purchase Guide
- Getting Started
- Operation Guide
- Resources
- Rule
- Managed Rules
- List of Managed Rule
- MFA on Sensitive Operations Required for CAM Users
- MFA on Login Required for CAM Users
- No Idle User Groups on CAM
- Association with User Group Required for CAM User
- No Authorization Policies Directly Added to CAM Sub-account
- No Administrator Access Permissions Granted to CAM Users, User Groups, or Roles
- Granting of Specific High-Risk Permissions by CAM Not Allowed
- No Idle Permission Policies on CAM
- CAM Login Permission Check
- Key of CAM User Rotated at Specified Interval
- Login by CAM User within Specified Time Range
- CVM Instance Associated with Specified Security Group
- CVM Instance Not Moved to Recycle Bin
- Association of CVM Instance with Specified Role
- CVM Instance Enabled Automatic Renewal
- Notification About Expiration for CVM Instance in Monthly Subscription or Pay-As-You-Go Mode
- No Idle Security Groups
- CVM Instance in VPC
- No CVM Instances Not Assigned to Project
- Inactive Duration of CVM Instance After Shutdown Not Exceeding Specified Number of Days
- Lease Duration of CVM Instance Meeting Requirement of Specified Number of Days
- CVM Instance Bound to IPv4 Public Address
- Specified Tag Existed for Resource
- Access to Remote Risky Ports by Security Group Not Allowed
- Access to All Ports by Security Group Not Allowed
- CBS Disk Enabled Arrear Protection
- CBS Disk Enabled Encryption
- Detachable CBS Disk Not Moved to Recycle Bin
- Number of Available IP Addresses in VPC Subnet Greater than Specified Value
- Expiration Protection for CVM Instance in Pay-As-You-Go Mode
- No Idle CBS Disks
- Using Rules
- Managing Rules
- Conformance Pack
- Settings
- FAQs
- Contact Us
- Glossary
- Product Introduction
- Supported Resource Types
- Purchase Guide
- Getting Started
- Operation Guide
- Resources
- Rule
- Managed Rules
- List of Managed Rule
- MFA on Sensitive Operations Required for CAM Users
- MFA on Login Required for CAM Users
- No Idle User Groups on CAM
- Association with User Group Required for CAM User
- No Authorization Policies Directly Added to CAM Sub-account
- No Administrator Access Permissions Granted to CAM Users, User Groups, or Roles
- Granting of Specific High-Risk Permissions by CAM Not Allowed
- No Idle Permission Policies on CAM
- CAM Login Permission Check
- Key of CAM User Rotated at Specified Interval
- Login by CAM User within Specified Time Range
- CVM Instance Associated with Specified Security Group
- CVM Instance Not Moved to Recycle Bin
- Association of CVM Instance with Specified Role
- CVM Instance Enabled Automatic Renewal
- Notification About Expiration for CVM Instance in Monthly Subscription or Pay-As-You-Go Mode
- No Idle Security Groups
- CVM Instance in VPC
- No CVM Instances Not Assigned to Project
- Inactive Duration of CVM Instance After Shutdown Not Exceeding Specified Number of Days
- Lease Duration of CVM Instance Meeting Requirement of Specified Number of Days
- CVM Instance Bound to IPv4 Public Address
- Specified Tag Existed for Resource
- Access to Remote Risky Ports by Security Group Not Allowed
- Access to All Ports by Security Group Not Allowed
- CBS Disk Enabled Arrear Protection
- CBS Disk Enabled Encryption
- Detachable CBS Disk Not Moved to Recycle Bin
- Number of Available IP Addresses in VPC Subnet Greater than Specified Value
- Expiration Protection for CVM Instance in Pay-As-You-Go Mode
- No Idle CBS Disks
- Using Rules
- Managing Rules
- Conformance Pack
- Settings
- FAQs
- Contact Us
- Glossary
Access to Remote Risky Ports by Security Group Not Allowed
Last updated: 2024-02-29 11:02:54
Rule purpose: Check whether the security group can access remote risky ports when rules covering all network segments are set.
Compliance evaluation logic: When the security group has set rules covering all network segments (0.0.0.0/0 or ::/0), the port range cannot contain specified risky ports. If no such rules are set, the port range can contain specified risky ports. The evaluation result is "compliant" when the above conditions are met.
Rule Identifier:
cvm-sg-no-remote-accessRisk Level: High
Applicable Resource Type:
QCS::VPC::SecurityGroupRule trigger type: Configuration change
Keyword: Security Group
Rule parameter: None
Yes
No
Was this page helpful?