Metadata

Id: 71ea648a-d31a-4b5a-a589-5674243f1c33

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Networking and Firewall

Learn More

• Provider Reference

Description

Security groups must not allow a wide port range to the entire internet. Exposing multiple ports publicly increases attack surface and enables broad port scanning, automated exploitation, and easier lateral movement.

For Ansible amazon.aws.ec2_group or ec2_group resources, check rules[].from_port and rules[].to_port and ensure rules where to_port - from_port > 0 are not paired with cidr_ip set to 0.0.0.0/0 or cidr_ipv6 set to ::/0. Rules that require external access should restrict CIDR ranges to trusted networks or use specific single-port entries. Any rule defining a port range with an entire-network CIDR is flagged.

Secure example restricting access to a single port and a specific CIDR:

my_sg:
  name: my-security-group
  rules:
    - proto: tcp
      from_port: 22
      to_port: 22
      cidr_ip: 203.0.113.5/32
    - proto: tcp
      from_port: 443
      to_port: 443
      cidr_ip: 198.51.100.0/24

Compliant Code Examples

- name: example ec2 group v2
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 0.0.0.0/0
    - proto: tcp
      from_port: 22
      to_port: 22
      cidr_ip: 10.0.0.0/8

Non-Compliant Code Examples

- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
      - proto: tcp
        from_port: 80
        to_port: 82
        cidr_ip: 0.0.0.0/0
      - proto: tcp
        from_port: 2
        to_port: 22
        cidr_ipv6: ::/0