选择您的 Cookie 首选项

我们使用必要 Cookie 和类似工具提供我们的网站和服务。我们使用性能 Cookie 收集匿名统计数据,以便我们可以了解客户如何使用我们的网站并进行改进。必要 Cookie 无法停用,但您可以单击“自定义”或“拒绝”来拒绝性能 Cookie。

如果您同意,AWS 和经批准的第三方还将使用 Cookie 提供有用的网站功能、记住您的首选项并显示相关内容,包括相关广告。要接受或拒绝所有非必要 Cookie,请单击“接受”或“拒绝”。要做出更详细的选择,请单击“自定义”。

Network Reachability - Amazon Inspector Classic
此页面尚未翻译为您的语言。 请求翻译

This is the user guide for Amazon Inspector Classic. For information about the new Amazon Inspector, see the Amazon Inspector User Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/, and then choose Amazon Inspector Classic in the navigation pane.

This is the user guide for Amazon Inspector Classic. For information about the new Amazon Inspector, see the Amazon Inspector User Guide. To access the Amazon Inspector Classic console, open the Amazon Inspector console at https://console.aws.amazon.com/inspector/, and then choose Amazon Inspector Classic in the navigation pane.

Network Reachability

The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure.

The Network Reachability rules package uses the latest technology from the AWS Provable Security initiative.

The findings generated by these rules show whether your ports are reachable from the internet through an internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway. These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on.

These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured. By including this package in your assessment run, you can implement detailed network security checks without having to install scanners and send packets, which are complex and expensive to maintain, especially across VPC peering connections and VPNs.

Important

An Amazon Inspector Classic agent is not required to assess your EC2 instances with this rules package. However, an installed agent can provide information about the presence of any processes listening on the ports. Do not install an agent on an operating system that Amazon Inspector Classic does not support. If an agent is present on an instance that runs an unsupported operating system, then the Network Reachability rules package will not work on that instance.

For more information, see Amazon Inspector Classic rules packages for supported operating systems.

Configurations analyzed

Network Reachability rules analyze the configuration of the following entities for vulnerabilities:

Reachability routes

Network Reachability rules check for the following reachability routes, which correspond to the ways in which your ports can be accessed from outside of your VPC:

  • Internet - Internet gateways (including Application Load Balancers and Classic Load Balancers)

  • PeeredVPC - VPC peering connections

  • VGW - Virtual private gateways

Findings types

An assessment that includes the Network Reachability rules package can return the following types of findings for each reachability route:

RecognizedPort

A port that is typically used for a well-known service is reachable. If an agent is present on the target EC2 instance, the generated finding will also indicate whether there is an active listening process on the port. Findings of this type are given a severity based on the security impact of the well-known service:

  • RecognizedPortWithListener – A recognized port is externally reachable from the public internet through a specific networking component, and a process is listening on the port.

  • RecognizedPortNoListener – A port is externally reachable from the public internet through a specific networking component, and there are no processes listening on the port.

  • RecognizedPortNoAgent – A port is externally reachable from the public internet through a specific networking component. The presence of a process listening on the port can't be determined without installing an agent on the target instance.

The following table shows a list of recognized ports:

Service

TCP Ports

UDP Ports

SMB

445

445

NetBIOS

137, 139

137, 138

LDAP

389

389

LDAP over TLS

636

Global catalog LDAP

3268

Global catalog LDAP over TLS

3269

NFS

111, 2049, 4045, 1110

111, 2049, 4045, 1110

Kerberos

88, 464, 543, 544, 749, 751

88, 464, 749, 750, 751, 752

RPC

111, 135, 530

111, 135, 530

WINS

1512, 42

1512, 42

DHCP

67, 68, 546, 547

67, 68, 546, 547

Syslog

601

514

Print services

515

Telnet

23

23

FTP

21

21

SSH

22

22

RDP

3389

3389

MongoDB

27017, 27018, 27019, 28017

SQL Server

1433

1434

MySQL

3306

PostgreSQL

5432

Oracle

1521, 1630

Elasticsearch

9300, 9200

HTTP

80 80

HTTPS

443 443

UnrecogizedPortWithListener

A port that is not listed in the preceding table is reachable and has an active listening process on it. Because findings of this type show information about listening processes, they can be generated only when an Amazon Inspector agent is installed on the target EC2 instance. Findings of this type are given Low severity.

NetworkExposure

Findings of this type show aggregate information on the ports that are reachable on your EC2 instance. For each combination of elastic network interfaces and security groups on an EC2 instance, these findings show the reachable set of TCP and UDP port ranges. Findings of this type have the severity of Informational.

隐私网站条款Cookie 首选项
© 2025, Amazon Web Services, Inc. 或其附属公司。保留所有权利。