Ensure EC2 Instances Do Not Allow Unrestricted Access to VNC Server (Port 5900)
AWS Security Groups act like a firewall for your Amazon EC2 instances controlling both inbound and outbound traffic. AWS Security Groups are very flexible in nature and allow you to specify what type of traffic is allowed into and out of your EC2 Instances. With you having full control of what traffic patterns or inbound connectivity you allow, it is important that you mitigate as much risk as possible when opening up management and communication ports into your EC2 instance. An approach of least access should be put in place and only grant access to endpoints that require access. It is for this reason that VNC Server should not be opened up to the internet and is considered an EC2 security best practice. Ensuring that this communication is restricted will help you with NIST, GDPR & PCI-DSS Compliance.