--- title: DB security group open to large scope description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > DB security group open to large scope --- # DB security group open to large scope {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-db-security-group-open-to-large-scope` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) ### Description{% #description %} Ingress rules that use large CIDR blocks grant network access to hundreds or thousands of hosts. This increases attack surface and raises the risk of unauthorized access, brute-force attacks, and lateral movement. For CloudFormation: - For `AWS::EC2::SecurityGroup` resources, `Properties.SecurityGroupIngress` IPv4 entries (`CidrIp`) must use prefix lengths of `/25` through `/32`, and IPv6 entries (`CidrIpv6`) must use `/120` through `/128`. - For `AWS::RDS::DBSecurityGroup` resources, `DBSecurityGroupIngress.CIDRIP` IPv4 values must also use `/25` through `/32`. Resources missing these properties or that specify less specific prefixes (for example, `/24` or shorter for IPv4, or `/119` or shorter for IPv6) will be flagged. Remediate by replacing broad CIDR blocks with narrower CIDRs, specific host addresses, or security-group references so each ingress entry meets the required prefix length. Secure examples (CloudFormation YAML): ```yaml MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow limited IPv4 and IPv6 access SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 203.0.113.0/25 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIpv6: 2001:db8::/120 ``` ```yaml MyDBSecurityGroup: Type: AWS::RDS::DBSecurityGroup Properties: DBSecurityGroupIngress: - CIDRIP: 203.0.113.0/25 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml #this code is a correct code for which the query should not find any result Resources: DBinstance: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurityByEC2SecurityGroup" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurityByEC2SecurityGroup: Type: AWS::RDS::DBSecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" DBSecurityGroupIngress: CIDRIP: 1.2.3.4/28 ``` ```json { "Resources": { "DBinstance": { "Type": "AWS::RDS::DBInstance", "Properties": { "MasterUsername": "YourName", "MasterUserPassword": "YourPassword", "DBSecurityGroups": [ { "Ref": "DbSecurityByEC2SecurityGroup" } ], "AllocatedStorage": "5", "DBInstanceClass": "db.t3.small", "Engine": "MySQL" }, "DeletionPolicy": "Snapshot" }, "DbSecurityByEC2SecurityGroup": { "Type": "AWS::RDS::DBSecurityGroup", "Properties": { "GroupDescription": "Ingress for Amazon EC2 security group", "DBSecurityGroupIngress": { "CIDRIP": "1.2.3.4/28" } } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: DBinstance1: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurity" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurity: Type: AWS::RDS::DBSecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" DBSecurityGroupIngress: CIDRIP: 1.2.3.4/23 ``` ```yaml Resources: DBinstance2: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurityByEC2SecurityGroup1" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurityByEC2SecurityGroup1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" SecurityGroupIngress: CidrIp: 1.2.3.4/23 ``` ```yaml Resources: DBinstance3: Type: AWS::RDS::DBInstance Properties: DBSecurityGroups: - Ref: "DbSecurityByEC2SecurityGroup2" AllocatedStorage: "5" DBInstanceClass: "db.t3.small" Engine: "MySQL" MasterUsername: "YourName" MasterUserPassword: "YourPassword" DeletionPolicy: "Snapshot" DbSecurityByEC2SecurityGroup2: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" SecurityGroupIngress: CidrIpv6: 2001:db8:a::123/64 ```