---
title: Public port with wide port range
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Public port with wide port range
---

# Public port with wide port range

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `71ea648a-d31a-4b5a-a589-5674243f1c33`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Networking and Firewall

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html)

### Description{% #description %}

Security groups must not allow a wide port range to the entire internet. Exposing multiple ports publicly increases attack surface and enables broad port scanning, automated exploitation, and easier lateral movement.

For Ansible `amazon.aws.ec2_group` or `ec2_group` resources, check `rules[].from_port` and `rules[].to_port` and ensure rules where `to_port - from_port > 0` are not paired with `cidr_ip` set to `0.0.0.0/0` or `cidr_ipv6` set to `::/0`. Rules that require external access should restrict CIDR ranges to trusted networks or use specific single-port entries. Any rule defining a port range with an entire-network CIDR is flagged.

Secure example restricting access to a single port and a specific CIDR:

```yaml
my_sg:
  name: my-security-group
  rules:
    - proto: tcp
      from_port: 22
      to_port: 22
      cidr_ip: 203.0.113.5/32
    - proto: tcp
      from_port: 443
      to_port: 443
      cidr_ip: 198.51.100.0/24
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: example ec2 group v2
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 0.0.0.0/0
    - proto: tcp
      from_port: 22
      to_port: 22
      cidr_ip: 10.0.0.0/8
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
      - proto: tcp
        from_port: 80
        to_port: 82
        cidr_ip: 0.0.0.0/0
      - proto: tcp
        from_port: 2
        to_port: 22
        cidr_ipv6: ::/0
```