Network Reachability - Amazon Inspector Classic

This is the user guide for Amazon Inspector Classic. For information about the new Amazon Inspector, see the Amazon Inspector User Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/, and then choose Amazon Inspector Classic in the navigation pane.

Network Reachability

The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure.

The Network Reachability rules package uses the latest technology from the AWS Provable Security initiative.

The findings generated by these rules show whether your ports are reachable from the internet through an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on.

These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured. By including this package in your assessment run, you can implement detailed network security checks without having to install scanners and send packets, which are complex and expensive to maintain, especially across VPC peering connections and VPNs.

Important

An Amazon Inspector Classic agent is not required to assess your EC2 instances with this rules package. However, an installed agent can provide information about the presence of any processes listening on the ports. Do not install an agent on an operating system that Amazon Inspector Classic does not support. If an agent is present on an instance that runs an unsupported operating system, then the Network Reachability rules package will not work on that instance.

For more information, see Amazon Inspector Classic rules packages for supported operating systems.

Configurations analyzed

Network Reachability rules analyze the configuration of the following entities for vulnerabilities:

Reachability routes

Network Reachability rules check for the following reachability routes, which correspond to the ways in which your ports can be accessed from outside of your VPC:

  • Internet - Internet gateways (including Application Load Balancers and Classic Load Balancers)

  • PeeredVPC - VPC peering connections

  • VGW - Virtual private gateways

Findings types

An assessment that includes the Network Reachability rules package can return the following types of findings for each reachability route:

RecognizedPort

A port that is typically used for a well-known service is reachable. If an agent is present on the target EC2 instance, the generated finding will also indicate whether there is an active listening process on the port. Findings of this type are given a severity based on the security impact of the well-known service:

  • RecognizedPortWithListener – A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port.

  • RecognizedPortNoListener – A port is externally reachable from the public internet through a specific networking component, and there are no processes listening on the port.

  • RecognizedPortNoAgent – A port is externally reachable from the public internet through a specific networking component. The presence of a process listening on the port can't be determined without installing an agent on the target instance.

The following table shows a list of recognized ports:

Service

TCP Ports

UDP Ports

SMB

445

445

NetBIOS

137, 139

137, 138

LDAP

389

389

LDAP over TLS

636

Global catalog LDAP

3268

Global catalog LDAP over TLS

3269

NFS

111, 2049, 4045, 1110

111, 2049, 4045, 1110

Kerberos

88, 464, 543, 544, 749, 751

88, 464, 749, 750, 751, 752

RPC

111, 135, 530

111, 135, 530

WINS

1512, 42

1512, 42

DHCP

67, 68, 546, 547

67, 68, 546, 547

Syslog

601

514

Print services

515

Telnet

23

23

FTP

21

21

SSH

22

22

RDP

3389

3389

MongoDB

27017, 27018, 27019, 28017

SQL Server

1433

1434

MySQL

3306

PostgreSQL

5432

Oracle

1521, 1630

Elasticsearch

9300, 9200

HTTP

80 80

HTTPS

443 443

UnrecogizedPortWithListener

A port that is not listed in the preceding table is reachable and has an active listening process on it. Because findings of this type show information about listening processes, they can be generated only when an Amazon Inspector agent is installed on the target EC2 instance. Findings of this type are given Low severity.

NetworkExposure

Findings of this type show aggregate information on the ports that are reachable on your EC2 instance. For each combination of elastic network interfaces and security groups on an EC2 instance, these findings show the reachable set of TCP and UDP port ranges. Findings of this type have the severity of Informational.