--- title: ELB sensitive port is exposed to entire network description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > ELB sensitive port is exposed to entire network --- # ELB sensitive port is exposed to entire network {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-elb-sensitive-port-is-exposed-to-entire-network` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html) ### Description{% #description %} Load balancer security groups that allow ingress from the entire internet (for example, `0.0.0.0/0` or `::/0`) to sensitive ports expose management, database, and application endpoints to unauthorized access and exploitation. Check load balancer resources (`AWS::ElasticLoadBalancing::LoadBalancer` and `AWS::ElasticLoadBalancingV2::LoadBalancer`) and their referenced security groups. Examine `SecurityGroupIngress` entries (`Properties.SecurityGroupIngress`) for `IpProtocol`, `FromPort`/`ToPort`, and `CidrIp`. The `CidrIp` value must not be a `/0` range for ports that map to sensitive services (for example, SSH `22`, RDP `3389`, and database ports). If a load balancer lists `SecurityGroups`, validate those `AWS::EC2::SecurityGroup` resources. If the load balancer is associated via Amazon EC2 instances, validate those instances' `Properties.SecurityGroups` as well. Ingress rules that include a `/0` CIDR covering the flagged ports will be reported. Secure example restricting SSH to a single admin IP: ```yaml AdminSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Restrict SSH to admin workstation VpcId: vpc-01234567 SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 203.0.113.5/32 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Resources: MyLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Scheme: internet-facing Listeners: - InstancePort: '80' InstanceProtocol: HTTP LoadBalancerPort: '443' Protocol: HTTPS PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate HealthCheck: Target: HTTP:80/ HealthyThreshold: '2' UnhealthyThreshold: '3' Interval: '10' Timeout: '5' SecurityGroups: [ !Ref LBNegativeSecGroup01 ] Policies: - PolicyName: My-SSLNegotiation-Policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 LBNegativeSecGroup01: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http and ssh VpcId: my-vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 127.0.0.1/32 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 127.0.0.1/32 SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Parameters: MySubnets: Description: "My subnet" Type: List Resources: ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: ip-target-alb Subnets: !Ref MySubnets SecurityGroups: - !Ref ALBNegativeSecGroup Tags: - Key: Name Value: ip-target-alb ALBNegativeSecGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http and ssh VpcId: my-vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 127.0.0.1/32 - IpProtocol: tcp FromPort: 77 ToPort: 77 CidrIp: 127.0.0.1/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 HTTPALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: HTTP DefaultActions: - Type: forward TargetGroupArn: !Ref IPTargetGroup IPTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: VpcId: my-vpc Port: 80 Protocol: HTTP TargetType: ip Matcher: HttpCode: '200' HealthCheckIntervalSeconds: 10 HealthCheckPath: /health/check HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 2 TestListenerRule1: Type: "AWS::ElasticLoadBalancingV2::ListenerRule" Properties: Priority: 1 ListenerArn: !Ref HTTPALBListener Conditions: - Field: "host-header" Values: - "test1.checkmarx.com" Actions: - Type: "forward" TargetGroupArn: !Ref IPTargetGroup Order: 1 ForwardConfig: TargetGroups: - TargetGroupArn: !Ref IPTargetGroup Weight: 1 TargetGroupStickinessConfig: Enabled: false ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Parameters: MySubnet: Description: "My subnet" Type: List Resources: NetworkLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: t10-networkloadbalancer Scheme: internet-facing Subnets: !Ref MySubnet Type: network Tags: - Key: Name Value: t10-networklb InstancesNegativeSecGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http and ssh VpcId: my-vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 127.0.0.1/32 - IpProtocol: tcp FromPort: 77 ToPort: 77 CidrIp: 127.0.0.1/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 EC2Instance01: Type: AWS::EC2::Instance Properties: InstanceType: t3.2xlarge SecurityGroups: [!Ref 'InstancesNegativeSecGroup'] KeyName: my-rsa-key ImageId: ami-79fd7eee EC2Instance02: Type: AWS::EC2::Instance Properties: InstanceType: t3.2xlarge SecurityGroups: [!Ref 'InstancesNegativeSecGroup'] KeyName: my-rsa-key ImageId: ami-79fd7eee NetworkLoadBalancerTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: t10-networklb-target Port: 443 Protocol: TCP VpcId: t10-vpc-id TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: 60 Targets: - Id: !Ref EC2Instance01 Port: 443 - Id: !Ref EC2Instance02 Port: 443 Tags: - Key: Name Value: t10-networklb-target NetworkLoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup LoadBalancerArn: !Ref NetworkLoadBalancer Port: 443 Protocol: TCP NetworkLoadBalancerListenerCert: Type: AWS::ElasticLoadBalancingV2::ListenerCertificate Properties: Certificates: - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... ListenerArn: !Ref NetworkLoadBalancerListener ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Resources: MyLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: AvailabilityZones: - "us-east-2a" CrossZone: true Scheme: internet-facing Listeners: - InstancePort: '80' InstanceProtocol: HTTP LoadBalancerPort: '443' Protocol: HTTPS PolicyNames: - My-SSLNegotiation-Policy SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate HealthCheck: Target: HTTP:80/ HealthyThreshold: '2' UnhealthyThreshold: '3' Interval: '10' Timeout: '5' SecurityGroups: - !Ref LBSecGroup Policies: - PolicyName: My-SSLNegotiation-Policy PolicyType: SSLNegotiationPolicyType Attributes: - Name: Reference-Security-Policy Value: ELBSecurityPolicy-TLS-1-2-2017-01 LBSecGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http and ssh VpcId: my-vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 50 ToPort: 80 CidrIp: 127.0.0.1/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 127.0.0.1/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Parameters: MySubnets: Description: "My subnet" Type: List Resources: ApplicationLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: ip-target-alb Subnets: !Ref MySubnets SecurityGroups: - !Ref ALBSecGroup Tags: - Key: Name Value: ip-target-alb ALBSecGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http and ssh VpcId: my-vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 127.0.0.1/32 - IpProtocol: tcp FromPort: 6379 ToPort: 6379 CidrIp: 127.0.0.1/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 HTTPALBListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref ApplicationLoadBalancer Port: 80 Protocol: HTTP DefaultActions: - Type: forward TargetGroupArn: !Ref IPTargetGroup IPTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: VpcId: my-vpc Port: 80 Protocol: HTTP TargetType: ip Matcher: HttpCode: '200' HealthCheckIntervalSeconds: 10 HealthCheckPath: /health/check HealthCheckProtocol: HTTP HealthCheckTimeoutSeconds: 5 HealthyThresholdCount: 2 UnhealthyThresholdCount: 2 TestListenerRule1: Type: "AWS::ElasticLoadBalancingV2::ListenerRule" Properties: Priority: 1 ListenerArn: !Ref HTTPALBListener Conditions: - Field: "host-header" Values: - "test1.checkmarx.com" Actions: - Type: "forward" TargetGroupArn: !Ref IPTargetGroup Order: 1 ForwardConfig: TargetGroups: - TargetGroupArn: !Ref IPTargetGroup Weight: 1 TargetGroupStickinessConfig: Enabled: false ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Parameters: MySubnet: Description: "My subnet" Type: List Resources: GatewayLoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: my-gateway-load-balancer Scheme: internet-facing Type: gateway Subnets: !Ref MySubnet InstancesSecGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http and ssh VpcId: my-vpc SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 127.0.0.1/32 - IpProtocol: tcp FromPort: 636 ToPort: 636 CidrIp: 127.0.0.1/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 EC2Instance01: Type: AWS::EC2::Instance Properties: InstanceType: t3.2xlarge SecurityGroups: - !Ref 'InstancesSecGroup' KeyName: my-rsa-key ImageId: ami-79fd7eee EC2Instance02: Type: AWS::EC2::Instance Properties: InstanceType: t3.2xlarge SecurityGroups: - !Ref 'InstancesSecGroup' KeyName: my-rsa-key ImageId: ami-79fd7eee GatewayLoadBalancerTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: t10-networklb-target Port: 443 Protocol: TCP VpcId: t10-vpc-id TargetGroupAttributes: - Key: deregistration_delay.timeout_seconds Value: '60' Targets: - Id: !Ref EC2Instance01 Port: 443 - Id: !Ref EC2Instance02 Port: 443 Tags: - Key: Name Value: t10-networklb-target GatewayLoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: DefaultActions: - Type: forward TargetGroupArn: !Ref GatewayLoadBalancerTargetGroup LoadBalancerArn: !Ref GatewayLoadBalancer Port: 443 Protocol: TCP GatewayLoadBalancerListenerCert: Type: AWS::ElasticLoadBalancingV2::ListenerCertificate Properties: Certificates: - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... ListenerArn: !Ref GatewayLoadBalancerListener ```