For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-default-security-groups-with-unrestricted-traffic.md.
A documentation index is available at /llms.txt.
Security groups that allow inbound or outbound CIDR ranges of 0.0.0.0/0 or ::/0 expose resources to the entire internet, increasing the risk of unauthorized access, brute-force attacks, and data exfiltration.
For Ansible amazon.aws.ec2_group or ec2_group tasks, inspect the rules and rules_egress entries and ensure the cidr_ip and cidr_ipv6 properties are not set to 0.0.0.0/0 or ::/0. Tasks containing cidr_ip: 0.0.0.0/0 or cidr_ipv6: ::/0 are flagged. Restrict access to specific CIDR ranges or reference other security groups instead of using global open CIDRs.
- name:example ec2 groupamazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:all# in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),# traffic on all ports is allowed, regardless of any ports you specifyfrom_port:10050# this value is ignoredto_port:10050# this value is ignoredcidr_ip:10.1.0.0/16cidr_ipv6:64:ff9b::/96rules_egress:- proto:tcpfrom_port:80to_port:80cidr_ip:10.1.0.0/16cidr_ipv6:64:ff9b::/96group_name:example-other# description to use if example-other needs to be createdgroup_desc:other example EC2 group
Non-Compliant Code Examples
---- name:example ec2 groupamazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:all# in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),# traffic on all ports is allowed, regardless of any ports you specifyfrom_port:10050# this value is ignoredto_port:10050# this value is ignoredcidr_ip:- 0.0.0.0/0- name:example2 ec2 groupamazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules_egress:- proto:tcpfrom_port:80to_port:80cidr_ip:0.0.0.0/0group_name:example-other# description to use if example-other needs to be createdgroup_desc:other example EC2 group- name:example3 ec2 groupamazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:all# in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6),# traffic on all ports is allowed, regardless of any ports you specifyfrom_port:10050# this value is ignoredto_port:10050# this value is ignoredcidr_ipv6:::/0- name:example4 ec2 groupamazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules_egress:- proto:tcpfrom_port:80to_port:80cidr_ipv6:::/0group_name:example-other# description to use if example-other needs to be createdgroup_desc:other example EC2 group- name:example5 ec2 groupamazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:# 'ports' rule keyword was introduced in version 2.4. It accepts a single port value or a list of values including ranges (from_port-to_port).- proto:tcpports:22group_name:example-vpnrules_egress:- proto:tcpfrom_port:80to_port:80cidr_ipv6:- ::/0group_name:example-other# description to use if example-other needs to be createdgroup_desc:other example EC2 group
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
