EC2 instance using default security group
This product is not supported for your selected
Datadog site. (
).
Id: 8d03993b-8384-419b-a681-d1f55149397c
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Access Control
Learn More
Description
Using the default security group for EC2 instances is unsafe. The default group is shared across the VPC, often broadly permissive for intra-VPC traffic, and cannot be scoped to least-privilege rules. This increases the risk of lateral movement and unintended exposure.
This rule inspects Ansible tasks that use the amazon.aws.ec2_instance or ec2_instance module and flags security_group or security_groups properties that reference the default security group. Both string and list forms are evaluated. Any value containing the word “default” (case-insensitive) is flagged and should be replaced with explicit, purpose-built security group names or IDs that restrict ingress and egress to only the required sources and ports.
Secure example using an explicit security group ID:
- name: Launch EC2 with dedicated security group
amazon.aws.ec2_instance:
name: my-instance
image_id: ami-0123456789abcdef0
instance_type: t3.micro
vpc_subnet_id: subnet-29e63245
security_groups:
- sg-0123456789abcdef0
network:
assign_public_ip: false
Compliant Code Examples
- name: example2
amazon.aws.ec2_instance:
name: web-server
key_name: mykey
instance_type: t2.micro
image_id: ami-123456
wait: yes
security_group: my_sg
vpc_subnet_id: subnet-29e63245
network:
assign_public_ip: true
Non-Compliant Code Examples
- name: example2
amazon.aws.ec2_instance:
name: web-server
key_name: mykey
instance_type: t2.micro
image_id: ami-123456
wait: yes
security_groups:
- default
vpc_subnet_id: subnet-29e63245
network:
assign_public_ip: true
- name: example
amazon.aws.ec2_instance:
name: web-server
key_name: mykey
instance_type: t2.micro
image_id: ami-123456
wait: yes
security_group: default
vpc_subnet_id: subnet-29e63245
network:
assign_public_ip: true
