Amazon Inspector
User Guide (Version Latest)

Network Reachability

The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure.

The Network Reachability rules package uses the latest technology from the AWS Provable Security initiative.

The findings generated by these rules show whether your ports are reachable from the internet through an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on.

These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured. By including this package in your assessment run, you can implement detailed network security checks without having to install scanners and send packets, which are complex and expensive to maintain, especially across VPC peering connections and VPNs.

Important

An Amazon Inspector agent is not required to assess your EC2 instances with this rules package. However, an installed agent can provide information about the presence of any processes listening on the ports.

Important

This rules package does not support Amazon EC2 Classic networks.

For more information, see Amazon Inspector Rules Packages for Supported Operating Systems.

Configurations Analyzed

Network Reachability rules analyze the configuration of the following entities for vulnerabilities:

Important

The Network Reachability rules package does not account for any other constructs that allow or restrict inbound access.

Reachability Routes

Network Reachability rules check for the following reachability routes, which correspond to the ways in which your ports can be accessed from outside of your VPC:

  • Internet - Internet gateways (including Application Load Balancers and Classic Load Balancers)

  • PeeredVPC - VPC peering connections

  • VGW - Virtual private gateways

Findings Types

An assessment that includes the Network Reachability rules package can return the following types of findings for each reachability route:

RecognizedPort

A port that is typically used for a well-known service is reachable. If an agent is present on the target EC2 instance, the generated finding will also indicate whether there is an active listening process on the port. Findings of this type are given a severity based on the security impact of the well-known service:

  • RecognizedPortWithListener – A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port.

  • RecognizedPortNoListener – A port is externally reachable from the public internet through a specific networking component, and there are no processes listening on the port.

  • RecognizedPortNoAgent – A port is externally reachable from the public internet through a specific networking component. The presence of a process listening on the port can't be determined without installing an agent on the target instance.

The following table shows a list of recognized ports:

Service

TCP Ports

UDP Ports

SMB

445

445

NetBIOS

137, 139

137, 138

LDAP

389

389

LDAP over TLS

636

Global catalog LDAP

3268

Global catalog LDAP over TLS

3269

NFS

111, 2049, 4045, 1110

111, 2049, 4045, 1110

Kerberos

88, 464, 543, 544, 749, 751

88, 464, 749, 750, 751, 752

RPC

111, 135, 530

111, 135, 530

WINS

1512, 42

1512, 42

DHCP

67, 68, 546, 547

67, 68, 546, 547

Syslog

601

514

Print services

515

Telnet

23

23

FTP

21

21

SSH

22

22

RDP

3389

3389

MongoDB

27017, 27018, 27019, 28017

SQL Server

1433

1434

MySQL

3306

PostgreSQL

5432

Oracle

1521, 1630

Elasticsearch

9300, 9200

HTTP

80 80

HTTPS

443 443

UnrecogizedPortWithListener

A port that is not listed in the preceding table is reachable and has an active listening process on it. Because findings of this type show information about listening processes, they can be generated only when an Amazon Inspector agent is installed on the target EC2 instance. Findings of this type are given Low severity.

NetworkExposure

Findings of this type show aggregate information on the ports that are reachable on your EC2 instance. For each combination of elastic network interfaces and security groups on an EC2 instance, these findings show the reachable set of TCP and UDP port ranges. Findings of this type have the severity of Informational.