Exposure Scanner Scan My Account
Exposure Scanner / Amazon EC2

EC2 Security Group Exposure

Are your EC2 instances accessible from the internet through open security groups?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
sg-0a4f2e8d1b3c5a7f
Security group allows SSH (port 22) from 0.0.0.0/0
Critical
sg-09d8c7b6a5e4f3d2
Security group allows all inbound traffic from any source
High
sg-01a2b3c4d5e6f7a8
Security group allows MySQL (port 3306) from 0.0.0.0/0

What does Amazon EC2 public exposure mean?

EC2 public exposure occurs when security groups allow inbound traffic from 0.0.0.0/0 (anywhere) on sensitive ports. Common culprits include SSH (port 22), RDP (port 3389), databases (3306, 5432, 27017), and administrative interfaces.

Why it matters

Open security groups are the primary attack vector for EC2 instances. Automated scanners continuously probe for open SSH and RDP ports. A single exposed instance can provide a foothold into your VPC, enabling lateral movement to databases, internal services, and other accounts.

How to check manually

  1. 1Open EC2 console → Security Groups and filter for inbound rules with Source 0.0.0.0/0
  2. 2Check for rules allowing all traffic (protocol: All, port range: All)
  3. 3Review Network ACLs at the subnet level for overly permissive rules
  4. 4Use VPC Flow Logs to identify unexpected inbound connections

Quick check with AWS CLI

Find security groups with SSH open to the world
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=22" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].{ID:GroupId,Name:GroupName}"
Find security groups with RDP open to the world
aws ec2 describe-security-groups --filters "Name=ip-permission.from-port,Values=3389" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].{ID:GroupId,Name:GroupName}"
Find security groups allowing all inbound traffic
aws ec2 describe-security-groups --filters "Name=ip-permission.protocol,Values=-1" "Name=ip-permission.cidr,Values=0.0.0.0/0" --query "SecurityGroups[].GroupId"

Common misconfigurations

SSH (22) open to 0.0.0.0/0 instead of a bastion or VPN CIDR
RDP (3389) open to the internet
Database ports directly accessible from outside the VPC
Security group rules accumulated over time without cleanup

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon VPC
Does your VPC configuration allow unintended internet access?
Elastic Load Balancer
Are your load balancers exposing internal services to the internet?
AWS IAM
Are your IAM policies granting access more broadly than intended?