{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "AC-4",
                "AC-4(21)",
                "CA-9(1)",
                "CM-2",
                "CM-2(2)",
                "CM-7",
                "SC-7",
                "SC-7(11)",
                "SC-7(16)",
                "SC-7(21)",
                "SC-7(4)",
                "SC-7(5)"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "1.2.1",
                "1.3",
                "1.3.1",
                "1.3.2",
                "1.3.4",
                "1.3.6",
                "2.2",
                "2.2.2"
            ]
        }
    ],
    "ConfigRuleIdentifier": "VPC_SG_RESTRICTED_COMMON_PORTS",
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether an Amazon EC2 security group rule that contains the strings '0.0.0.0/0' or '::/0' as a source IP range does not allow incoming TCP, UDP, ICMP, ICMPv6 traffic to the following ports: '3389', '20', '23', '110', '143', '3306', '8080', '1433', '9200', '9300', '25', '445', '135', '21', '1434', '4333', '5432', '5500', '5601', '22', '3000', '5000', '8088', '8888'.",
    "DisplayName": "Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for specific high-risk ports",
    "DocumentationReferences": [
        {
            "DisplayName": "Instructions for configuring VPC Security Groups",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::EC2::SecurityGroup",
        "AWS::EC2::SecurityGroupIngress"
    ],
    "EvaluatedServices": [
        "Amazon EC2"
    ],
    "Guidance": "Elective",
    "Id": "CT.EC2.PR.4",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.6",
            "Name": "Limit network access"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "Relationships": [
        {
            "ControlId": "SH.EC2.19",
            "ControlOwner": "AWS Security Hub",
            "RelationshipType": "Can be used with (Inclusive)"
        }
    ],
    "ReleaseDate": "2022-11-28",
    "RemediationMessage": "Remove Amazon EC2 security group ingress rules that allow traffic from '0.0.0.0/0' or '::/0' to high risk ports: '3389', '20', '23', '110', '143', '3306', '8080', '1433', '9200', '9300', '25', '445', '135', '21', '1434', '4333', '5432', '5500', '5601', '22', '3000', '5000', '8088', '8888'. The use of managed prefix lists is not supported.",
    "Severity": "CRITICAL",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "2",
    "Visibility": "PUBLIC"
}