Why did I receive the GuardDuty finding type alert Recon:EC2/PortProbeUnprotectedPort for my Amazon EC2 instance?

Last updated: 2020-10-28

The GuardDuty finding type Recon:EC2/PortProbeUnprotectedPort means that an Amazon EC2 instance has an unprotected port that is being probed by a known malicious host.

Use the following best practices to protect the unprotected port or remove inbound rules:

• Follow the instructions to view and analyze your GuardDuty findings.
• In the findings detail pane, note the port number.
• If the unprotected port is 22 for Linux, you can restrict access by following the instructions for authorizing inbound traffic for your Linux instances.
• If the unprotected port is 3389 for Windows, you can restrict access by following the instructions for authorizing inbound traffic for your Windows instances.
• If the unprotected port is 80 or 443 and you need to keep these ports open, you can put the EC2 instance behind a load balancer.
• If the port doesn't have any application running on it and doesn't need to be open, you can remove the inbound rule for the EC2 instance security group and iptables rules.
• If you don't need to protect the unprotected port, you can ignore the Recon:EC2/PortProbeUnprotectedPort finding type.