Skip to main content
Room Banner
Back to all walkthroughs
Room Icon

The Exposed Port

Max room.

An open management port is a standing invitation. Find it, close it, and build without it.

medium

45 min

1

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

An engineer spins up an instance during a late-night deployment. Port 22 goes in as a temporary convenience - just until the setup is done. The instance gets its workload, the team moves on, and the rule is never revisited. Three days later, a alert fires: UnauthorizedAccess:EC2/SSHBruteForce. The port has been answering automated scanners since the moment the instance came online.

Modern AWS environments require no inbound management ports. AWS Systems Manager Session Manager provides authenticated, audited shell access over the AWS control plane - no inbound rules, no key pairs, no brute-force surface. The port was never needed. This room shows you how to find it, close it, and build correctly from the start.

Learning Objectives

By the end of this room, you will be able to:

  • Understand how an exposed management port creates a persistent brute-force attack vector
  • Identify instances with SSH or RDP open to 0.0.0.0/0 using the
  • Confirm whether Systems Manager is already available on a running instance
  • Remove a public inbound management rule without interrupting administrative access
  • Build a new instance with no inbound management port from the start
  • Use Session Manager as the standard, auditable access path for administration

Prerequisites

Answer the questions below

Unscheduled activation. Incoming scan on port 22.