For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-remote-desktop-port-open.md.
A documentation index is available at /llms.txt.
Security groups that allow Remote Desktop (RDP, TCP port 3389) from 0.0.0.0/0 expose Windows hosts to the public internet, increasing the likelihood of brute-force compromise, unauthorized access, and ransomware or lateral movement.
Ansible EC2 security group resources using the amazon.aws.ec2_group or ec2_group module must not include a rule where cidr_ip is "0.0.0.0/0" that permits port 3389 (that is, a rule with proto: tcp, from_port: 3389, to_port: 3389). Tasks with such a rule are flagged. Restrict RDP to specific trusted CIDR ranges, require bastion hosts or VPN access, or remove the rule entirely.
Secure example restricting RDP to a trusted network:
- name:Create security group with restricted RDPamazon.aws.ec2_group:name:my-sgdescription:SG with RDP restrictedrules:- proto:tcpfrom_port:3389to_port:3389cidr_ip:203.0.113.0/24
Compliant Code Examples
- name:example ec2 group1amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:3380to_port:3450cidr_ip:0.0.0.0/1- name:example ec2 group2amazon.aws.ec2_group:name:example2description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:3389cidr_ip:0.0.1.0/0- name:example ec2 group3amazon.aws.ec2_group:name:example3description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:3380-3450cidr_ip:0.1.0.0/0- name:example ec2 group4amazon.aws.ec2_group:name:example4description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 80- 3380-3450cidr_ip:10.0.0.0/0- name:example ec2 group5amazon.aws.ec2_group:name:example5description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 3389- 10-50cidr_ip:10.0.0.0/0- name:example ec2 group6amazon.aws.ec2_group:name:example1description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:-1to_port:25cidr_ip:0.1.0.0/0- name:example ec2 group7amazon.aws.ec2_group:name:example1description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:15to_port:-1cidr_ip:0.0.0.1/0
Non-Compliant Code Examples
- name:example ec2 group1amazon.aws.ec2_group:name:exampledescription:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:3380to_port:3450cidr_ip:0.0.0.0/0- name:example ec2 group2amazon.aws.ec2_group:name:example2description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:3389cidr_ip:0.0.0.0/0- name:example ec2 group3amazon.aws.ec2_group:name:example3description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:3380-3450cidr_ip:0.0.0.0/0- name:example ec2 group4amazon.aws.ec2_group:name:example4description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 80- 3380-3450cidr_ip:0.0.0.0/0- name:example ec2 group5amazon.aws.ec2_group:name:example5description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpports:- 3389- 10-50cidr_ip:0.0.0.0/0- name:example ec2 group6amazon.aws.ec2_group:name:example1description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:-1to_port:25cidr_ip:0.0.0.0/0- name:example ec2 group7amazon.aws.ec2_group:name:example1description:an example EC2 groupvpc_id:12345region:eu-west-1aws_secret_key:SECRETaws_access_key:ACCESSrules:- proto:tcpfrom_port:15to_port:-1cidr_ip:0.0.0.0/0
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
