---
title: SQL Analysis Services port 2383 (TCP) is publicly accessible
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > SQL Analysis Services port 2383 (TCP) is
  publicly accessible
---

# SQL Analysis Services port 2383 (TCP) is publicly accessible

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-sql-analysis-services-port-2383-is-publicly-accessible` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html)

### Description{% #description %}

Allowing TCP port 2383 (SQL Server Analysis Services) from the public internet (CIDR `0.0.0.0/0`) exposes the analysis service to unauthorized connections, increasing the risk of data exposure, unauthorized queries, and lateral movement into your environment.

For Ansible tasks using the `amazon.aws.ec2_group` or `ec2_group` module, this rule flags any `rules` entry where `cidr_ip` is `0.0.0.0/0`, `proto` is `tcp`, and the rule includes port 2383. Restrict access by specifying a limited CIDR range or referencing internal security groups instead of `0.0.0.0/0`, or remove the rule if public access is not required.

Secure configuration example:

```yaml
my_security_group:
  amazon.aws.ec2_group:
    name: my-sg
    rules:
      - proto: tcp
        from_port: 2383
        to_port: 2383
        cidr_ip: 10.0.0.0/24
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: example using security group rule descriptions
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: '{{ aws_profile }}'
    region: us-east-1
    rules:
    - proto: tcp
      ports:
      - 2383
      cidr_ip: aws_vpc.main.cidr_block
      rule_desc: allow all on port 2383

- name: example using security group rule descriptions 2
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: '{{ aws_profile }}'
    region: us-east-1
    rules:
    - proto: udp
      ports:
      - 2383
      cidr_ip: 0.0.0.0/0
      rule_desc: allow all on port 2383

- name: example using security group rule descriptions 3
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: '{{ aws_profile }}'
    region: us-east-1
    rules:
    - proto: tcp
      to_port: 4000
      from_port: 3000
      cidr_ip: 0.0.0.0/0
      rule_desc: allow all on port 2383
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: example using security group rule descriptions
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: "{{ aws_profile }}"
    region: us-east-1
    rules:
      - proto: tcp
        ports:
          - 2383
        cidr_ip: 0.0.0.0/0
        rule_desc: allow all on port 2383

- name: example using security group rule descriptions 2
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: "{{ aws_profile }}"
    region: us-east-1
    rules:
      - proto: tcp
        ports:
          - 2383
        cidr_ip: 0.0.0.0/0
        rule_desc: allow all on port 2383

- name: example using security group rule descriptions 3
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: "{{ aws_profile }}"
    region: us-east-1
    rules:
      - proto: tcp
        to_port: -1
        from_port: -1
        cidr_ip: 0.0.0.0/0
        rule_desc: allow all on port 2383

- name: example using security group rule descriptions 4
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: "{{ aws_profile }}"
    region: us-east-1
    rules:
      - proto: tcp
        ports:
          - 2000-3000
        cidr_ip: 0.0.0.0/0
        rule_desc: allow all on port 2383

- name: example using security group rule descriptions 5
  amazon.aws.ec2_group:
    name: awsEc2
    description: sg with rule descriptions
    vpc_id: vpc-xxxxxxxx
    profile: "{{ aws_profile }}"
    region: us-east-1
    rules:
      - proto: tcp
        to_port: 3000
        from_port: 2000
        cidr_ip: 0.0.0.0/0
        rule_desc: allow all on port 2383
```