This detection rule monitors AWS VPC Flow Logs for instances of inbound traffic that violate an established port allowlist. Specifically, it is designed to trigger alerts in response to attempts to access private IP addresses from public sources on restricted ports, as well as document any approved traffic for auditing purposes. The rule focuses on common attack vectors where non-compliant ports might be used for command and control (C2) communications and other unauthorized access attempts. Detection mechanisms analyze the ports being accessed and log these activities to ensure network security compliance. This rule can help organizations maintain visibility over traffic patterns, enforce security policies, and mitigate risks associated with unapproved access points to sensitive resources within the private network.