Knowledge Base

An EC2 instance's SSH port (22) is accessible from the public Internet for any source address

Provider: AWS
Service: ec2
Severity: High


Because it is commonly used for administrative access, the SSH port is an attractive target for attackers. CIS 4.1 recommends that you restrict access to the SSH port (TCP 22) with a security group.

Suggested Action

You should configure security groups to prevent SSH access from the Internet.


Framework Name Control # Control Description
cis-aws-foundations-benchmark 1.2.0 4.1 Ensure no security groups allow ingress from to port 22
nist-sp800-171 Revision 1 3.1.14 Route remote access via managed access control points.
nist-sp800-171 Revision 1 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
aicpa-soc-2 2017 cc6.1 Logical access controls
aicpa-soc-2 2017 cc6.6 External logical access controls
us-hipaa-164 2017-10-01 312.e.1 Transmission Security
nist-csf 1.1 Protect network integrity
nist-csf 1.1 Establish activity baseline
nist-csf 1.1 Monitor for unauthorized access
nist-sp800-171 Revision 1 3.1.12 Monitor and control remote access sessions.
eu-gdpr 2016-679 Article-46 Transfers subject to appropriate safeguards
pci-dss 3.2.1 1.2.1 Default 'deny-all' router/firewall configuration
pci-dss 3.2.1 1.3.2 Untrusted traffic to DMZ only


  • You can find the full text of CIS 4.1, which includes audit and remediation steps, at this link
  • You can find information about configuring a security group to allow SSH access at this link