Security group rules must not permit ingress from the public internet (0.0.0.0/0 or ::/0). Open rules expose instances to unauthorized access and automated attacks. In Ansible tasks using the amazon.aws.ec2_group or ec2_group modules, each entry in the rules list must not set cidr_ip to 0.0.0.0/0 or cidr_ipv6 to ::/0. This rule flags any rules item with those values. Instead, restrict access to specific CIDR ranges, reference other security groups, or require access via a bastion/VPN.
Secure example with a restricted CIDR:
- name:create ssh access for admin networkamazon.aws.ec2_group:name:my-secgrouprules:- proto:tcpfrom_port:22to_port:22cidr_ip:203.0.113.0/24
Compliant Code Examples
- name:example ec2 group2ec2_group1:name:example1description:an example EC2 groupvpc_id:12345region:eu-west-1aaws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:80to_port:80cidr_ip:10.1.1.1/32
Non-Compliant Code Examples
- name:create minimal aurora instance in default VPC and default subnet groupamazon.aws.rds_instance:engine:auroradb_instance_identifier:ansible-test-aurora-db-instanceinstance_type:db.t2.smallpassword:"{{ password }}"username:"{{ username }}"cluster_id:ansible-test-clusterdb_security_groups:["example"]- name:example ec2 groupec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aaws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:80to_port:80cidr_ip:0.0.0.0/0
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
個別デモのリクエスト
Datadogを開始
Ask AI
AI-generated responses may be inaccurate. Verify important info.
