This is the user guide for Amazon Inspector Classic. For information about the
new Amazon Inspector, see the Amazon Inspector User
Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/
Network Reachability
The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure.
The Network Reachability rules package uses the latest technology from the AWS Provable Security
The findings generated by these rules show whether your ports are reachable from the internet through an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on.
These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured. By including this package in your assessment run, you can implement detailed network security checks without having to install scanners and send packets, which are complex and expensive to maintain, especially across VPC peering connections and VPNs.
Important
An Amazon Inspector Classic agent is not required to assess your EC2 instances with this rules package. However, an installed agent can provide information about the presence of any processes listening on the ports. Do not install an agent on an operating system that Amazon Inspector Classic does not support. If an agent is present on an instance that runs an unsupported operating system, then the Network Reachability rules package will not work on that instance.
For more information, see Amazon Inspector Classic rules packages for supported operating systems.
Configurations analyzed
Network Reachability rules analyze the configuration of the following entities for vulnerabilities:
Reachability routes
Network Reachability rules check for the following reachability routes, which correspond to the ways in which your ports can be accessed from outside of your VPC:
-
Internet- Internet gateways (including Application Load Balancers and Classic Load Balancers) -
PeeredVPC- VPC peering connections -
VGW- Virtual private gateways
Findings types
An assessment that includes the Network Reachability rules package can return the following types of findings for each reachability route:
RecognizedPort
A port that is typically used for a well-known service is reachable. If an agent is present on the target EC2 instance, the generated finding will also indicate whether there is an active listening process on the port. Findings of this type are given a severity based on the security impact of the well-known service:
-
RecognizedPortWithListener– A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port. -
RecognizedPortNoListener– A port is externally reachable from the public internet through a specific networking component, and there are no processes listening on the port. -
RecognizedPortNoAgent– A port is externally reachable from the public internet through a specific networking component. The presence of a process listening on the port can't be determined without installing an agent on the target instance.
The following table shows a list of recognized ports:
|
Service |
TCP Ports |
UDP Ports |
|---|---|---|
|
SMB |
445 |
445 |
|
NetBIOS |
137, 139 |
137, 138 |
|
LDAP |
389 |
389 |
|
LDAP over TLS |
636 |
|
|
Global catalog LDAP |
3268 |
|
|
Global catalog LDAP over TLS |
3269 |
|
|
NFS |
111, 2049, 4045, 1110 |
111, 2049, 4045, 1110 |
|
Kerberos |
88, 464, 543, 544, 749, 751 |
88, 464, 749, 750, 751, 752 |
|
RPC |
111, 135, 530 |
111, 135, 530 |
|
WINS |
1512, 42 |
1512, 42 |
|
DHCP |
67, 68, 546, 547 |
67, 68, 546, 547 |
|
Syslog |
601 |
514 |
|
Print services |
515 |
|
|
Telnet |
23 |
23 |
|
FTP |
21 |
21 |
|
SSH |
22 |
22 |
|
RDP |
3389 |
3389 |
|
MongoDB |
27017, 27018, 27019, 28017 |
|
|
SQL Server |
1433 |
1434 |
|
MySQL |
3306 |
|
|
PostgreSQL |
5432 |
|
|
Oracle |
1521, 1630 |
|
|
Elasticsearch |
9300, 9200 |
|
|
HTTP |
80 | 80 |
|
HTTPS |
443 | 443 |
UnrecogizedPortWithListener
A port that is not listed in the preceding table is reachable and has an active listening process on it. Because findings of this type show information about listening processes, they can be generated only when an Amazon Inspector agent is installed on the target EC2 instance. Findings of this type are given Low severity.
NetworkExposure
Findings of this type show aggregate information on the ports that are reachable on your EC2 instance. For each combination of elastic network interfaces and security groups on an EC2 instance, these findings show the reachable set of TCP and UDP port ranges. Findings of this type have the severity of Informational.
