Ensure Security Groups accept traffic only from ports 80 and 443

Error: Security Groups do not accept traffic only from ports 80 and 443

Bridgecrew Policy ID: BC_AWS_NETWORKING_11
Severity: HIGH

Security Groups do not accept traffic only from ports 80 and 443

Description

If you are hosting a public asset, such as a website on an EC2 instance, you should only allow users to connect to it through HTTP (port 80) or HTTPS (port 443). For HTTP traffic, add an inbound rule on port 80 from the source address 0.0.0.0/0. For HTTPS traffic, add an inbound rule on port 443 from the source address 0.0.0.0/0. These inbound rules allow traffic from IPv4 addresses.

We recommend you restrict unwanted traffic from internet facing EC2 instances by opening only web browsing ports. In addition, consider using AWS Elastic Load Balancers (ELB) as an alternative to open port access. AWS ELB is an important building block enabling the distribution of load to your backend instances in a round-robin fashion.

Fix - Runtime

Procedure

Do not allow global access to well-known ports of an EC2 instance directly (except for 80 and 443).