For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-db-security-group-open-to-large-scope.md. A documentation index is available at /llms.txt.

DB security group open to large scope

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-db-security-group-open-to-large-scope

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Networking and Firewall

Learn More

Description

Ingress rules that use large CIDR blocks grant network access to hundreds or thousands of hosts. This increases attack surface and raises the risk of unauthorized access, brute-force attacks, and lateral movement.

For CloudFormation:

  • For AWS::EC2::SecurityGroup resources, Properties.SecurityGroupIngress IPv4 entries (CidrIp) must use prefix lengths of /25 through /32, and IPv6 entries (CidrIpv6) must use /120 through /128.
  • For AWS::RDS::DBSecurityGroup resources, DBSecurityGroupIngress.CIDRIP IPv4 values must also use /25 through /32.

Resources missing these properties or that specify less specific prefixes (for example, /24 or shorter for IPv4, or /119 or shorter for IPv6) will be flagged. Remediate by replacing broad CIDR blocks with narrower CIDRs, specific host addresses, or security-group references so each ingress entry meets the required prefix length.

Secure examples (CloudFormation YAML):

MySecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow limited IPv4 and IPv6 access
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 203.0.113.0/25
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIpv6: 2001:db8::/120

MyDBSecurityGroup:
  Type: AWS::RDS::DBSecurityGroup
  Properties:
    DBSecurityGroupIngress:
      - CIDRIP: 203.0.113.0/25

Compliant Code Examples

#this code is a correct code for which the query should not find any result
Resources:
  DBinstance:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        CIDRIP: 1.2.3.4/28

{
  "Resources": {
    "DBinstance": {
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "MasterUsername": "YourName",
        "MasterUserPassword": "YourPassword",
        "DBSecurityGroups": [
          {
            "Ref": "DbSecurityByEC2SecurityGroup"
          }
        ],
        "AllocatedStorage": "5",
        "DBInstanceClass": "db.t3.small",
        "Engine": "MySQL"
      },
      "DeletionPolicy": "Snapshot"
    },
    "DbSecurityByEC2SecurityGroup": {
      "Type": "AWS::RDS::DBSecurityGroup",
      "Properties": {
        "GroupDescription": "Ingress for Amazon EC2 security group",
        "DBSecurityGroupIngress": {
          "CIDRIP": "1.2.3.4/28"
        }
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  DBinstance1:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurity"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurity:
    Type: AWS::RDS::DBSecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      DBSecurityGroupIngress:
        CIDRIP: 1.2.3.4/23

Resources:
  DBinstance2:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup1"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup1:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      SecurityGroupIngress:
        CidrIp: 1.2.3.4/23

Resources:
  DBinstance3:
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups:
        -
          Ref: "DbSecurityByEC2SecurityGroup2"
      AllocatedStorage: "5"
      DBInstanceClass: "db.t3.small"
      Engine: "MySQL"
      MasterUsername: "YourName"
      MasterUserPassword: "YourPassword"
    DeletionPolicy: "Snapshot"
  DbSecurityByEC2SecurityGroup2:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Ingress for Amazon EC2 security group"
      SecurityGroupIngress:
        CidrIpv6: 2001:db8:a::123/64