For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-sql-analysis-services-port-2383-is-publicly-accessible.md.
A documentation index is available at /llms.txt.
Allowing TCP port 2383 (SQL Server Analysis Services) from the public internet (CIDR 0.0.0.0/0) exposes the analysis service to unauthorized connections, increasing the risk of data exposure, unauthorized queries, and lateral movement into your environment.
For Ansible tasks using the amazon.aws.ec2_group or ec2_group module, this rule flags any rules entry where cidr_ip is 0.0.0.0/0, proto is tcp, and the rule includes port 2383. Restrict access by specifying a limited CIDR range or referencing internal security groups instead of 0.0.0.0/0, or remove the rule if public access is not required.
- name:example using security group rule descriptionsamazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:'{{ aws_profile }}'region:us-east-1rules:- proto:tcpports:- 2383cidr_ip:aws_vpc.main.cidr_blockrule_desc:allow all on port 2383- name:example using security group rule descriptions 2amazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:'{{ aws_profile }}'region:us-east-1rules:- proto:udpports:- 2383cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383- name:example using security group rule descriptions 3amazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:'{{ aws_profile }}'region:us-east-1rules:- proto:tcpto_port:4000from_port:3000cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383
Non-Compliant Code Examples
---- name:example using security group rule descriptionsamazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:"{{ aws_profile }}"region:us-east-1rules:- proto:tcpports:- 2383cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383- name:example using security group rule descriptions 2amazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:"{{ aws_profile }}"region:us-east-1rules:- proto:tcpports:- 2383cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383- name:example using security group rule descriptions 3amazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:"{{ aws_profile }}"region:us-east-1rules:- proto:tcpto_port:-1from_port:-1cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383- name:example using security group rule descriptions 4amazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:"{{ aws_profile }}"region:us-east-1rules:- proto:tcpports:- 2000-3000cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383- name:example using security group rule descriptions 5amazon.aws.ec2_group:name:awsEc2description:sg with rule descriptionsvpc_id:vpc-xxxxxxxxprofile:"{{ aws_profile }}"region:us-east-1rules:- proto:tcpto_port:3000from_port:2000cidr_ip:0.0.0.0/0rule_desc:allow all on port 2383
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
