For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-db-security-group-with-public-scope.md.
A documentation index is available at /llms.txt.
Databases and their associated security groups must not allow ingress from the entire internet. When a publicly accessible Amazon RDS instance allows CidrIp set to 0.0.0.0/0 or CidrIpv6 set to ::/0, it exposes the database to unauthorized access, brute-force attacks, and data exfiltration.
This rule applies when an AWS::RDS::DBInstance has Properties.PubliclyAccessible set to true. It flags:
AWS::EC2::SecurityGroup resources with Properties.SecurityGroupIngress entries where CidrIp is 0.0.0.0/0 or CidrIpv6 is ::/0.
AWS::RDS::DBSecurityGroup resources with Properties.DBSecurityGroupIngress[] entries where CIDRIP is 0.0.0.0/0.
Resources matching these values will be flagged. Instead, restrict ingress to specific trusted CIDR ranges or reference other security group IDs as the source so only known hosts can connect.
Secure examples (restrict to a trusted CIDR or a security group):
MySecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:"Allow DB access from trusted network"SecurityGroupIngress:- IpProtocol:tcpFromPort:5432ToPort:5432CidrIp:203.0.113.0/24
#this code is a correct code for which the query should not find any resultResources:DBEC2SecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Open database for accessSecurityGroupIngress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:1.2.3.4/24- IpProtocol:tcpFromPort:80ToPort:80CidrIpv6:2001:0db8:85a3:0000:0000:8a2e:0370:7334SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0DBInstance:Type:AWS::RDS::DBInstanceProperties:PubliclyAccessible:trueDBName:Ref:DBNameEngine:MySQLMultiAZ:Ref:MultiAZDatabaseMasterUsername:Ref:DBUserDBInstanceClass:Ref:DBClassAllocatedStorage:Ref:DBAllocatedStorageMasterUserPassword:Ref:DBPasswordVPCSecurityGroups:- !GetAtt DBEC2SecurityGroup.GroupId
Resources:DBinstance:Type:AWS::RDS::DBInstanceProperties:PubliclyAccessible:trueDBSecurityGroups:-Ref:"DbSecurityByEC2SecurityGroup"AllocatedStorage:"5"DBInstanceClass:"db.t3.small"Engine:"MySQL"MasterUsername:"YourName"MasterUserPassword:"YourPassword"DeletionPolicy:"Snapshot"DbSecurityByEC2SecurityGroup:Type:AWS::RDS::DBSecurityGroupProperties:GroupDescription:"Ingress for Amazon EC2 security group"DBSecurityGroupIngress:-CIDRIP:1.2.3.4/24
{"Resources":{"DBEC2SecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"SecurityGroupIngress":[{"CidrIp":"1.2.3.4/24","IpProtocol":"tcp","FromPort":80,"ToPort":80},{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIpv6":"2001:0db8:85a3:0000:0000:8a2e:0370:7334"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"GroupDescription":"Open database for access"}},"DBInstance":{"Type":"AWS::RDS::DBInstance","Properties":{"PubliclyAccessible":true,"DBName":{"Ref":"DBName"},"MultiAZ":{"Ref":"MultiAZDatabase"},"MasterUsername":{"Ref":"DBUser"},"AllocatedStorage":{"Ref":"DBAllocatedStorage"},"Engine":"MySQL","DBInstanceClass":{"Ref":"DBClass"},"MasterUserPassword":{"Ref":"DBPassword"},"VPCSecurityGroups":["DBEC2SecurityGroup.GroupId"]}}}}
Non-Compliant Code Examples
Resources:DBEC2SecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Open database for accessSecurityGroupIngress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0DBInstance:Type:AWS::RDS::DBInstanceProperties:PubliclyAccessible:trueDBName:Ref:DBNameEngine:MySQLMultiAZ:Ref:MultiAZDatabaseMasterUsername:Ref:DBUserDBInstanceClass:Ref:DBClassAllocatedStorage:Ref:DBAllocatedStorageMasterUserPassword:Ref:DBPasswordVPCSecurityGroups:- !GetAtt DBEC2SecurityGroup.GroupId
Resources:DBinstance2:Type:AWS::RDS::DBInstanceProperties:PubliclyAccessible:trueDBSecurityGroups:-Ref:"DbSecurityByEC2SecurityGroup"AllocatedStorage:"5"DBInstanceClass:"db.t3.small"Engine:"MySQL"MasterUsername:"YourName"MasterUserPassword:"YourPassword"DeletionPolicy:"Snapshot"DbSecurityByEC2SecurityGroup:Type:AWS::RDS::DBSecurityGroupProperties:GroupDescription:"Ingress for Amazon EC2 security group"DBSecurityGroupIngress:-CIDRIP:0.0.0.0/0
Resources:DBEC2SecurityGroup2:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Open database for accessSecurityGroupIngress:- IpProtocol:tcpFromPort:80ToPort:80CidrIpv6:::/0SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0DBInstance3:Type:AWS::RDS::DBInstanceProperties:PubliclyAccessible:trueDBName:Ref:DBNameEngine:MySQLMultiAZ:Ref:MultiAZDatabaseMasterUsername:Ref:DBUserDBInstanceClass:Ref:DBClassAllocatedStorage:Ref:DBAllocatedStorageMasterUserPassword:Ref:DBPasswordVPCSecurityGroups:- !GetAtt DBEC2SecurityGroup2.GroupId
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
