AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-07-16 · Documentation low

File: securityhub/latest/userguide/ec2-controls.md

Summary

Fixed punctuation (removed backslash) in the description of EC2.21 control

Security assessment

Formatting correction with no impact on security content or implications.

Diff

diff --git a/securityhub/latest/userguide/ec2-controls.md b/securityhub/latest/userguide/ec2-controls.md
index 6a784ea58..d89793dc1 100644
--- a//securityhub/latest/userguide/ec2-controls.md
+++ b//securityhub/latest/userguide/ec2-controls.md
@@ -5 +5 @@
-[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC default security groups should not allow inbound or outbound traffic[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped EC2 instances should be removed after a specified time period[EC2.6] VPC flow logging should be enabled in all VPCs[EC2.7] EBS default encryption should be enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17] Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports[EC2.19] Security groups should not allow unrestricted access to ports with high risk[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22] Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces[EC2.28] EBS volumes should be covered by a backup plan[EC2.33] EC2 transit gateway attachments should be tagged[EC2.34] EC2 transit gateway route tables should be tagged[EC2.35] EC2 network interfaces should be tagged[EC2.36] EC2 customer gateways should be tagged[EC2.37] EC2 Elastic IP addresses should be tagged[EC2.38] EC2 instances should be tagged[EC2.39] EC2 internet gateways should be tagged[EC2.40] EC2 NAT gateways should be tagged[EC2.41] EC2 network ACLs should be tagged[EC2.42] EC2 route tables should be tagged[EC2.43] EC2 security groups should be tagged[EC2.44] EC2 subnets should be tagged[EC2.45] EC2 volumes should be tagged[EC2.46] Amazon VPCs should be tagged[EC2.47] Amazon VPC endpoint services should be tagged[EC2.48] Amazon VPC flow logs should be tagged[EC2.49] Amazon VPC peering connections should be tagged[EC2.50] EC2 VPN gateways should be tagged[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled[EC2.52] EC2 transit gateways should be tagged[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports[EC2.55] VPCs should be configured with an interface endpoint for ECR API[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)[EC2.171] EC2 VPN connections should have logging enabled[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes[EC2.174] EC2 DHCP option sets should be tagged[EC2.175] EC2 launch templates should be tagged[EC2.176] EC2 prefix lists should be tagged[EC2.177] EC2 traffic mirror sessions should be tagged[EC2.178] EC2 traffic mirror filters should be tagged[EC2.179] EC2 traffic mirror targets should be tagged
+[EC2.1] Amazon EBS snapshots should not be publicly restorable[EC2.2] VPC default security groups should not allow inbound or outbound traffic[EC2.3] Attached Amazon EBS volumes should be encrypted at-rest[EC2.4] Stopped EC2 instances should be removed after a specified time period[EC2.6] VPC flow logging should be enabled in all VPCs[EC2.7] EBS default encryption should be enabled[EC2.8] EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)[EC2.9] Amazon EC2 instances should not have a public IPv4 address[EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service[EC2.12] Unused Amazon EC2 EIPs should be removed[EC2.13] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22[EC2.14] Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389[EC2.15] Amazon EC2 subnets should not automatically assign public IP addresses[EC2.16] Unused Network Access Control Lists should be removed[EC2.17] Amazon EC2 instances should not use multiple ENIs[EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports[EC2.19] Security groups should not allow unrestricted access to ports with high risk[EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up[EC2.21] Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389[EC2.22] Unused Amazon EC2 security groups should be removed[EC2.23] Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests[EC2.24] Amazon EC2 paravirtual instance types should not be used[EC2.25] Amazon EC2 launch templates should not assign public IPs to network interfaces[EC2.28] EBS volumes should be covered by a backup plan[EC2.33] EC2 transit gateway attachments should be tagged[EC2.34] EC2 transit gateway route tables should be tagged[EC2.35] EC2 network interfaces should be tagged[EC2.36] EC2 customer gateways should be tagged[EC2.37] EC2 Elastic IP addresses should be tagged[EC2.38] EC2 instances should be tagged[EC2.39] EC2 internet gateways should be tagged[EC2.40] EC2 NAT gateways should be tagged[EC2.41] EC2 network ACLs should be tagged[EC2.42] EC2 route tables should be tagged[EC2.43] EC2 security groups should be tagged[EC2.44] EC2 subnets should be tagged[EC2.45] EC2 volumes should be tagged[EC2.46] Amazon VPCs should be tagged[EC2.47] Amazon VPC endpoint services should be tagged[EC2.48] Amazon VPC flow logs should be tagged[EC2.49] Amazon VPC peering connections should be tagged[EC2.50] EC2 VPN gateways should be tagged[EC2.51] EC2 Client VPN endpoints should have client connection logging enabled[EC2.52] EC2 transit gateways should be tagged[EC2.53] EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports[EC2.54] EC2 security groups should not allow ingress from ::/0 to remote server administration ports[EC2.55] VPCs should be configured with an interface endpoint for ECR API[EC2.56] VPCs should be configured with an interface endpoint for Docker Registry[EC2.57] VPCs should be configured with an interface endpoint for Systems Manager[EC2.58] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts[EC2.60] VPCs should be configured with an interface endpoint for Systems Manager Incident Manager[EC2.170] EC2 launch templates should use Instance Metadata Service Version 2 (IMDSv2)[EC2.171] EC2 VPN connections should have logging enabled[EC2.172] EC2 VPC Block Public Access settings should block internet gateway traffic[EC2.173] EC2 Spot Fleet requests should enable encryption for attached EBS volumes[EC2.174] EC2 DHCP option sets should be tagged[EC2.175] EC2 launch templates should be tagged[EC2.176] EC2 prefix lists should be tagged[EC2.177] EC2 traffic mirror sessions should be tagged[EC2.178] EC2 traffic mirror filters should be tagged[EC2.179] EC2 traffic mirror targets should be tagged[EC2.180] EC2 network interfaces should have source/destination checking enabled
@@ -581 +581 @@ To modify VPN tunnel options, see [Modifying Site-to-Site VPN tunnel options](ht
-This control checks whether a network access control list (network ACL) allows unrestricted access to the default TCP ports for SSH/RDP ingress traffic. The control fails if the network ACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for TCP ports 22 or 3389\. The control doesn't generate findings for a default network ACL.
+This control checks whether a network access control list (network ACL) allows unrestricted access to the default TCP ports for SSH/RDP ingress traffic. The control fails if the network ACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for TCP ports 22 or 3389. The control doesn't generate findings for a default network ACL.
@@ -1791,0 +1792,26 @@ For information about adding tags to an Amazon EC2 traffic mirror target, see [T
+## [EC2.180] EC2 network interfaces should have source/destination checking enabled
+
+**Category:** Protect > Network Security
+
+**Severity:** Medium
+
+**Resource type:** `AWS::EC2::NetworkInterface`
+
+**AWS Config rule:** [ec2-enis-source-destination-check-enabled](https://docs.aws.amazon.com/config/latest/developerguide/ec2-enis-source-destination-check-enabled.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:** None
+
+This control checks whether source/destination checking is enabled for an Amazon EC2 elastic network interface (ENI) that's managed by users. The control fails if source/destination checking is disabled for the user-managed ENI. This control checks only the following types of ENIs: `aws_codestar_connections_managed`, `branch`, `efa`, `interface`, `lambda`, and `quicksight`.
+
+Source/destination checking for Amazon EC2 instances and attached ENIs should be enabled and configured consistently across your EC2 instances. Each ENI has its own setting for source/destination checks. If source/destination checking is enabled, Amazon EC2 enforces source/destination address validation, which ensures that an instance is either the source or the destination of any traffic that it receives. This provides an additional layer of network security by preventing resources from handling unintended traffic and preventing IP address spoofing.
+
+###### Note
+
+If you're using an EC2 instance as a NAT instance and you disabled source/destination checking for its ENI, you can use a [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) instead.
+
+### Remediation
+
+For information about enabling source/destination checks for an Amazon EC2 ENI, see [Modify network interface attributes](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/modify-network-interface-attributes.html#modify-source-dest-check) in the _Amazon EC2 User Guide_.
+