...
Permitting traffic from any internet host to any port is generally discouraged, as a security best practice. Rules configured this way expose all ports and services on a host to any internet IP. This can result in malicious actors scanning administrative ports like SSH or RDP and attempting to brute force entry. These rules can almost always be reconfigured to be much more restrictive while still allowing legitimate users to connect to your application.
There are situations where it would be hard to avoid an any rule, for example, a web site having the necessity of being open to the world on ports 80 and 443. Very few situations, if none at all, should allow as a source all clients. Access needs to be explicitly stated where it is originating from. To make the process easier, IP ranges are commonly used to avoid having to add a running list host by host. For example, all of Columbia networks can be added as a source with a statement such as 128.59.0.0/16
An example any/any Security Group rule is shown below. Note the 'All' under 'Protocol' and 'Port Range'. 'All' in these columns means the remote host can connect to ANY port/service on your VM. Note also the 'Source' column. '0.0.0.0/0' and '::/0' means ANY IP address.
...
Instead, CUIT recommends opening traffic to ONLY the ports and IP ranges that your application requires. This may mean creating more complex rules, but it will result in greatly improved security. In the following example, the Security Group is configured to permit traffic from any IP address, but ONLY to ports 80 and 443, for web traffic. With this configuration, administrative ports like SSH and RDP are not open to the internet.
Existence of this rule will almost guarantee an attacker gaining illicit accessPlease contact CUIT if you have any further questions. For help configuring a security group, please see:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
...