--- title: HTTP port open to internet description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > HTTP port open to internet --- # HTTP port open to internet {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ansible-aws-http-port-open-to-internet` **Provider:** AWS **Platform:** Ansible **Severity:** Medium **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module) ### Description{% #description %} Allowing HTTP (TCP port 80) from 0.0.0.0/0 in a Security Group exposes services to unauthenticated public access and subjects unencrypted traffic to eavesdropping and automated scanning. In Ansible tasks using `amazon.aws.ec2_group` or `ec2_group`, this rule flags `rules` entries where `cidr_ip` is `0.0.0.0/0` and the entry opens port 80. Resources with such `rules` are flagged. To remediate, restrict `cidr_ip` to explicit trusted CIDR ranges or remove the public HTTP rule. Alternatively, serve traffic over HTTPS (port 443) terminated at a load balancer or proxy with appropriate access controls. Secure example showing HTTP restricted to a trusted CIDR: ```yaml - name: create security group with restricted HTTP amazon.aws.ec2_group: name: my-sg description: "example" rules: - proto: tcp from_port: 80 to_port: 80 cidr_ip: 10.0.0.0/16 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: example ec2 group1 amazon.aws.ec2_group: name: example description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp from_port: 67 to_port: 82 cidr_ip: 0.0.0.0/1 - name: example ec2 group2 amazon.aws.ec2_group: name: example2 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: 80 cidr_ip: 0.0.1.0/0 - name: example ec2 group3 amazon.aws.ec2_group: name: example3 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: 79-90 cidr_ip: 0.1.0.0/0 - name: example ec2 group4 amazon.aws.ec2_group: name: example3 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: - 100 - 70-90 cidr_ip: 10.0.0.0/0 - name: example ec2 group5 amazon.aws.ec2_group: name: example5 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: - 80 - 30-31 cidr_ip: 0.0.0.0/10 - name: example ec2 group6 amazon.aws.ec2_group: name: example description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp from_port: -1 to_port: 82 cidr_ip: 0.1.0.0/0 - name: example ec2 group7 amazon.aws.ec2_group: name: example description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp from_port: 67 to_port: -1 cidr_ip: 1.0.0.0/0 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: example ec2 group1 amazon.aws.ec2_group: name: example description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp from_port: 67 to_port: 82 cidr_ip: 0.0.0.0/0 - name: example ec2 group2 amazon.aws.ec2_group: name: example2 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: 80 cidr_ip: 0.0.0.0/0 - name: example ec2 group3 amazon.aws.ec2_group: name: example3 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: 79-90 cidr_ip: 0.0.0.0/0 - name: example ec2 group4 amazon.aws.ec2_group: name: example4 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: - 100 - 70-90 cidr_ip: 0.0.0.0/0 - name: example ec2 group5 amazon.aws.ec2_group: name: example5 description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp ports: - 80 - 30-31 cidr_ip: 0.0.0.0/0 - name: example ec2 group6 amazon.aws.ec2_group: name: example description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp from_port: -1 to_port: 82 cidr_ip: 0.0.0.0/0 - name: example ec2 group7 amazon.aws.ec2_group: name: example description: an example EC2 group vpc_id: 12345 region: eu-west-1 aws_secret_key: SECRET aws_access_key: ACCESS rules: - proto: tcp from_port: 67 to_port: -1 cidr_ip: 0.0.0.0/0 ```