- Newest
- Most votes
- Most comments
Talked to one of the developers- they were doing some testing and the security groups i saw when reviewing the alert were different than the security groups at the time the alert occurred.
Hello,
Refer this documentation on how to remediate the finding Recon:EC2/PortProbeUnprotectedPort, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport_description
https://repost.aws/knowledge-center/resolve-guardduty-unprotectedport-alerts
You can ignore the finding if you're sure that the EC2 instance is secure.
I'm reasonably sure that GuardDuty is correct in reporting the finding. It simply inspects your VPC flow logs and looks for repeated connections to ports other than ordinarily needed ones (like tcp/443) and reports if it observes matching traffic passing through. There must be a security group that's permitting the traffic flow the GuardDuty finding is showing.
Does your EC2 instance perhaps have multiple network interfaces? Security groups are attached separately to each ENI, despite a single set of them appearing in the instance properties, so one interface could have a security group attached that permits traffic while another interface wouldn't.
Or, could traffic be entering through a Network Load Balancer (NLB), and instead of the attacker's public IP address being permitted in the security group rules of your EC2 instance, the NLB's security group would allow it, and the security group of the EC2 instance would allow traffic from the NLB's security group?
Relevant content
- asked 2 years ago
- asked a year ago
- asked 3 years ago
- AWS OFFICIALUpdated 8 days ago
- AWS OFFICIALUpdated 6 months ago