For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-gamelift-fleet-ec2-inbound-permissions-with-port-range.md.
A documentation index is available at /llms.txt.
Opening port ranges for GameLift fleet instances increases the attack surface by exposing multiple ports instead of a single intended port. This can allow additional network-based attacks and makes it harder to reason about allowed traffic.
For AWS::GameLift::Fleet resources, each entry in the Properties.EC2InboundPermissions array must set FromPort and ToPort to the same numeric value so only a single port is opened. Resources with EC2InboundPermissions entries where FromPort is not equal to ToPort will be flagged. Ensure both properties are defined and equal for every entry.
Resources:FleetResource2:Type:AWS::GameLift::FleetProperties:BuildId:!Ref BuildResourceCertificateConfiguration:CertificateType:DISABLEDDescription:Description of my Game FleetDesiredEc2Instances:1EC2InboundPermissions:- FromPort:'1234'ToPort:'1234'IpRange:0.0.0.0/24Protocol:TCP- FromPort:'1356'ToPort:'1356'IpRange:192.168.0.0/24Protocol:UDP
{"Resources":{"FleetResource2":{"Type":"AWS::GameLift::Fleet","Properties":{"CertificateConfiguration":{"CertificateType":"DISABLED"},"Description":"Description of my Game Fleet","DesiredEc2Instances":1,"EC2InboundPermissions":[{"FromPort":"1234","ToPort":"1234","IpRange":"0.0.0.0/24","Protocol":"TCP"},{"ToPort":"1356","IpRange":"192.168.0.0/24","Protocol":"UDP","FromPort":"1356"}],"BuildId":"BuildResource"}}}}
Non-Compliant Code Examples
Resources:FleetResource1:Type:AWS::GameLift::FleetProperties:BuildId:!Ref BuildResourceCertificateConfiguration:CertificateType:DISABLEDDescription:Description of my Game Fleet1DesiredEc2Instances:1EC2InboundPermissions:- FromPort:'1234'ToPort:'134'IpRange:0.0.0.0/24Protocol:TCP- FromPort:1356ToPort:1578IpRange:192.168.0.0/24Protocol:UDPFleetResource3:Type:AWS::GameLift::FleetProperties:BuildId:!Ref BuildResourceCertificateConfiguration:CertificateType:DISABLEDDescription:Description of my Game Fleet3DesiredEc2Instances:1EC2InboundPermissions:- FromPort:1234ToPort:'134'IpRange:0.0.0.0/24Protocol:TCP- FromPort:'1356'ToPort:1578IpRange:192.168.0.0/24Protocol:UDP
{"Resources":{"FleetResource1":{"Type":"AWS::GameLift::Fleet","Properties":{"EC2InboundPermissions":[{"FromPort":"1234","ToPort":"134","IpRange":"0.0.0.0/24","Protocol":"TCP"},{"FromPort":1356,"ToPort":1578,"IpRange":"192.168.0.0/24","Protocol":"UDP"}],"BuildId":"BuildResource","CertificateConfiguration":{"CertificateType":"DISABLED"},"Description":"Description of my Game Fleet1","DesiredEc2Instances":1}},"FleetResource3":{"Type":"AWS::GameLift::Fleet","Properties":{"BuildId":"BuildResource","CertificateConfiguration":{"CertificateType":"DISABLED"},"Description":"Description of my Game Fleet3","DesiredEc2Instances":1,"EC2InboundPermissions":[{"FromPort":1234,"ToPort":"134","IpRange":"0.0.0.0/24","Protocol":"TCP"},{"FromPort":"1356","ToPort":1578,"IpRange":"192.168.0.0/24","Protocol":"UDP"}]}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
