---
title: Security group with unrestricted access to SSH
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Security group with unrestricted access to SSH
---

# Security group with unrestricted access to SSH

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-security-group-with-unrestricted-access-to-ssh` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html)

### Description{% #description %}

SSH (TCP port 22) must not be exposed to public CIDR ranges because it enables unauthorized remote access and increases the risk of brute-force or credential-stuffing attacks and lateral movement.

This check inspects Ansible tasks using `amazon.aws.ec2_group` or `ec2_group` and flags entries in the `rules` list where `from_port`/`to_port` cover port 22 (or are both `-1` indicating all ports) and `cidr_ip` or `cidr_ipv6` specify public CIDRs such as `0.0.0.0/0` or `::/0`. Limit `cidr_ip`/`cidr_ipv6` to specific trusted IP ranges, or remove SSH from the security group and enforce access through a bastion host or VPN. Any rule that leaves SSH open to public CIDRs is flagged.

Secure example restricting SSH to a single trusted address:

```yaml
- name: my-secure-sg
  amazon.aws.ec2_group:
    name: my-secure-sg
    rules:
      - proto: tcp
        from_port: 22
        to_port: 22
        cidr_ip: 203.0.113.4/32
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: example ec2 group v2
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 79.32.0.0/8
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ipv6: 64:ff9b::/96
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
      - proto: tcp
        from_port: 22
        to_port: 22
        cidr_ip: 79.32.0.0/12
      - proto: tcp
        from_port: -1
        to_port: -1
        cidr_ip: 79.32.0.0/12
      - proto: tcp
        from_port: 22
        to_port: 22
        cidr_ipv6: 2607:F8B0::/24
```