For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-http-port-open-to-internet.md.
A documentation index is available at /llms.txt.
Allowing HTTP (TCP port 80) from 0.0.0.0/0 in a Security Group exposes services to unauthenticated public access and subjects unencrypted traffic to eavesdropping and automated scanning. In Ansible tasks using amazon.aws.ec2_group or ec2_group, this rule flags rules entries where cidr_ip is 0.0.0.0/0 and the entry opens port 80.
Resources with such rules are flagged. To remediate, restrict cidr_ip to explicit trusted CIDR ranges or remove the public HTTP rule. Alternatively, serve traffic over HTTPS (port 443) terminated at a load balancer or proxy with appropriate access controls.
Secure example showing HTTP restricted to a trusted CIDR:
- name:create security group with restricted HTTPamazon.aws.ec2_group:name:my-sgdescription:"example"rules:- proto:tcpfrom_port:80to_port:80cidr_ip:10.0.0.0/16
Compliant Code Examples
- name:example ec2 group1amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:67to_port:82cidr_ip:0.0.0.0/1- name:example ec2 group2amazon.aws.ec2_group:name:example2description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:80cidr_ip:0.0.1.0/0- name:example ec2 group3amazon.aws.ec2_group:name:example3description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:79-90cidr_ip:0.1.0.0/0- name:example ec2 group4amazon.aws.ec2_group:name:example3description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 100- 70-90cidr_ip:10.0.0.0/0- name:example ec2 group5amazon.aws.ec2_group:name:example5description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 80- 30-31cidr_ip:0.0.0.0/10- name:example ec2 group6amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:-1to_port:82cidr_ip:0.1.0.0/0- name:example ec2 group7amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:67to_port:-1cidr_ip:1.0.0.0/0
Non-Compliant Code Examples
- name:example ec2 group1amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:67to_port:82cidr_ip:0.0.0.0/0- name:example ec2 group2amazon.aws.ec2_group:name:example2description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:80cidr_ip:0.0.0.0/0- name:example ec2 group3amazon.aws.ec2_group:name:example3description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:79-90cidr_ip:0.0.0.0/0- name:example ec2 group4amazon.aws.ec2_group:name:example4description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 100- 70-90cidr_ip:0.0.0.0/0- name:example ec2 group5amazon.aws.ec2_group:name:example5description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 80- 30-31cidr_ip:0.0.0.0/0- name:example ec2 group6amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:-1to_port:82cidr_ip:0.0.0.0/0- name:example ec2 group7amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:67to_port:-1cidr_ip:0.0.0.0/0
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
