---
title: Default security groups with unrestricted traffic
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Default security groups with unrestricted
  traffic
---

# Default security groups with unrestricted traffic

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-default-security-groups-with-unrestricted-traffic` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html)

### Description{% #description %}

Security groups that allow inbound or outbound CIDR ranges of `0.0.0.0/0` or `::/0` expose resources to the entire internet, increasing the risk of unauthorized access, brute-force attacks, and data exfiltration.

For Ansible `amazon.aws.ec2_group` or `ec2_group` tasks, inspect the `rules` and `rules_egress` entries and ensure the `cidr_ip` and `cidr_ipv6` properties are not set to `0.0.0.0/0` or `::/0`. Tasks containing `cidr_ip: 0.0.0.0/0` or `cidr_ipv6: ::/0` are flagged. Restrict access to specific CIDR ranges or reference other security groups instead of using global open CIDRs.

Secure configuration example:

```yaml
my_security_group:
  amazon.aws.ec2_group:
    name: my-sg
    rules:
      - proto: tcp
        from_port: 22
        to_port: 22
        cidr_ip: 203.0.113.0/24
    rules_egress:
      - proto: -1
        from_port: 0
        to_port: 0
        cidr_ip: 10.0.0.0/16
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
    - proto: all
        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
        # traffic on all ports is allowed, regardless of any ports you specify
      from_port: 10050   # this value is ignored
      to_port: 10050   # this value is ignored
      cidr_ip: 10.1.0.0/16
      cidr_ipv6: 64:ff9b::/96
    rules_egress:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 10.1.0.0/16
      cidr_ipv6: 64:ff9b::/96
      group_name: example-other
        # description to use if example-other needs to be created
      group_desc: other example EC2 group
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      - proto: all
        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
        # traffic on all ports is allowed, regardless of any ports you specify
        from_port: 10050 # this value is ignored
        to_port: 10050 # this value is ignored
        cidr_ip:
          - 0.0.0.0/0
- name: example2 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules_egress:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
        group_name: example-other
        # description to use if example-other needs to be created
        group_desc: other example EC2 group
- name: example3 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      - proto: all
        # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),
        # traffic on all ports is allowed, regardless of any ports you specify
        from_port: 10050 # this value is ignored
        to_port: 10050 # this value is ignored
        cidr_ipv6: ::/0
- name: example4 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules_egress:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ipv6: ::/0
        group_name: example-other
        # description to use if example-other needs to be created
        group_desc: other example EC2 group
- name: example5 ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    aws_secret_key: SECRET
    aws_access_key: ACCESS
    rules:
      # 'ports' rule keyword was introduced in version 2.4. It accepts a single port value or a list of values including ranges (from_port-to_port).
      - proto: tcp
        ports: 22
        group_name: example-vpn
    rules_egress:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ipv6:
          - ::/0
        group_name: example-other
        # description to use if example-other needs to be created
        group_desc: other example EC2 group
```