For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-default-security-groups-with-unrestricted-traffic.md.
A documentation index is available at /llms.txt.
The default Amazon EC2 security group must not define inbound or outbound rules because permissive rules on the default group can expose instances to unauthorized access and enable lateral movement between resources.
In CloudFormation, this rule checks AWS::EC2::SecurityGroup resources with Properties.GroupName set to "default" and requires that Properties.SecurityGroupIngress and Properties.SecurityGroupEgress are either absent or empty. Resources with non-empty ingress or egress arrays will be flagged.
If you need to allow specific traffic, create a separate security group with explicit least-privilege rules and attach that group to instances instead of modifying the default group.
Parameters:KeyName:Description:The EC2 Key Pair to allow SSH access to the instanceType:'AWS::EC2::KeyPair::KeyName'Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroup- MyExistingSecurityGroupKeyName:!Ref KeyNameImageId:ami-7a11e213InstanceSecurityGroup:Type:'AWS::EC2::SecurityGroup'Properties:GroupName:defaultGroupDescription:Enable SSH access via port 22
{"Parameters":{"KeyName":{"Description":"The EC2 Key Pair to allow SSH access to the instance","Type":"AWS::EC2::KeyPair::KeyName"}},"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"SecurityGroups":["InstanceSecurityGroup","MyExistingSecurityGroup"],"KeyName":"KeyName","ImageId":"ami-7a11e213"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupName":"default","GroupDescription":"Enable SSH access via port 22"}}}}
Non-Compliant Code Examples
Parameters:KeyName:Description:The EC2 Key Pair to allow SSH access to the instanceType:'AWS::EC2::KeyPair::KeyName'Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroup- MyExistingSecurityGroupKeyName:!Ref KeyNameImageId:ami-7a11e213InstanceSecurityGroup:Type:'AWS::EC2::SecurityGroup'Properties:GroupName:defaultGroupDescription:Enable SSH access via port 22SecurityGroupIngress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0
{"Parameters":{"KeyName":{"Description":"The EC2 Key Pair to allow SSH access to the instance","Type":"AWS::EC2::KeyPair::KeyName"}},"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"SecurityGroups":["InstanceSecurityGroup","MyExistingSecurityGroup"],"KeyName":"KeyName","ImageId":"ami-7a11e213"}},"InstanceSecurityGroup":{"Properties":{"GroupName":"default","GroupDescription":"Enable SSH access via port 22","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":"22","ToPort":"22","CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"FromPort":"22","ToPort":"22","CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}]},"Type":"AWS::EC2::SecurityGroup"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
