AWS GuardDuty reporting an unprotected port on EC2 instance as being probed.

Why You're Seeing This Alert

Your security monitoring system has detected port scanning activity on your web infrastructure. While this may appear concerning, these alerts are actually normal indicators of your properly functioning system.

What's Actually Happening

Your web infrastructure uses a modern load balancer architecture that routes internet traffic efficiently to your applications. Only ports 80 and 443 are publicly accessible from the internet—these are the standard web ports that all websites use.

$ nmap -p 80,443,8000,8443 1.2.3.4
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-03 12:39 EDT
Nmap scan report for ec2-1-2-3-4.eu-central-1.compute.amazonaws.com (1.2.3.4)
Host is up (0.11s latency).

PORT     STATE    SERVICE
80/tcp   open     http
443/tcp  open     https
8000/tcp filtered http-alt
8443/tcp filtered https-alt

Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds

Your security monitoring system (GuardDuty) operates inside your network infrastructure and can see internal traffic flows. When external scanners probe your public web ports (80/443), your load balancer correctly forwards this traffic to your internal application ports (8000/8443). GuardDuty detects this internal traffic flow and flags it as "port probing"—but the ports being probed are actually your internal, protected services, not directly accessible from the internet.

This internal routing is essential for:

• Standard web traffic routing (port 8000 for HTTP)
• Secure certificate management (automated SSL/TLS certificate renewal)
• Encrypted web traffic (port 8443 for HTTPS)

Why This Is Not a Security Concern

These alerts represent zero risk to your operations. 

Your infrastructure is:

• Functioning correctly according to industry standards
• Properly secured with only intended services accessible
• Following best practices for modern web architecture

The ports being flagged are legitimate components of your system doing exactly what they're designed to do. Port 8000 is critical for certificate management processes that keep your websites secure and trusted by browsers.

Your infrastructure security remains robust and operates as designed. These alerts simply confirm that your monitoring system is working properly—detecting all network activity, including normal operations of your legitimate services. No action is required, and your business operations continue to be well-protected.

References

AWS Official Documentation:

• GuardDuty EC2 Finding Types - Official AWS documentation on Recon:EC2/PortProbeUnprotectedPort
• Suppression Rules in GuardDuty - How to suppress false positive findings
• Target Groups for Network Load Balancers - NLB target group configuration

Traefik Official Documentation:

• Traefik Helm Chart Values - Official Helm chart showing default port configuration
• Traefik Kubernetes Quick Start - Official documentation showing port usage