Security groups (AWS, Azure) and firewall rules provide stateful filtering of ingress/egress network traffic to Cloud Provider resources. The AWS rule below provides protection against security group allowing unrestricted ingress access to port 22 (SSH). This rule can easily be modified to provide similar protection for other ports such as RDP (3389), Oracle DB (1521), PostgreSQL (5432), MySQL DB (3306), MongoDB (27017), Microsoft-DS (445), HTTP (80), TCP (445), DNS (53), FTP (21), Telnet (23), SMTP (25), and more. See below for example rules in AWS, Azure, and GCP.
AWS:
EC2Instance should not have SecurityGroups with [ InboundRules with [ IPRanges with [ IP isPublic () ] and Protocol in ("-1","tcp") and ( (FromPort lte 22 and ToPort gte 22) ) ] ]
GCP:
FirewallRule where Disabled eq False should not have Direction eq "INGRESS" and Allowed with [ Protocol in ("all", "tcp") and Ports with [ ( FromPort lte 23 and ToPort gte 23 ) ] ] and SourceRanges with [ Value eq 0.0.0.0/0 ]
Azure:
VirtualMachine should not have NetworkInterfaces with [ SecurityGroup . SecurityRules with [ Access eq "Allow" and Direction eq "Inbound" and Protocol in ("*", "TCP") and Destination . PortRange with [ FromPort lte 3389 and ToPort gte 3389 ] and ( ( Source . Type eq "Any" ) or ( Source . Type eq "Service Tag" and Source . ServiceTag eq "Internet" ) or ( Source . Type eq "IP Addresses" and Source . Addresses with [ Prefix in ( "0.0.0.0/0", "::/0", "<nw>/0", "/0" ) ] ) ) ] ]
Import / export rules to/from Netskope via REST API here
https://docs.netskope.com/en/import-and-export-csa-custom-rules.html
Let us know how this worked for you in the comments below!