For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-http-port-open.md. A documentation index is available at /llms.txt.

HTTP port open to internet

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-http-port-open

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Networking and Firewall

Learn More

Description

Security groups should not allow HTTP (port 80) ingress from the entire internet because it exposes web services to unauthenticated access and increases the attack surface for automated scanning and exploitation.

In CloudFormation, inspect AWS::EC2::SecurityGroup resources’ SecurityGroupIngress entries and ensure none have CidrIp = 0.0.0.0/0 or CidrIpv6 = ::/0, combined with IpProtocol set to tcp, -1, or 6, and a port range that includes 80. This rule flags ingress entries where FromPort <= 80 and ToPort >= 80, indicating port 80 is open to the world.

To remediate, restrict source CIDRs to trusted ranges, place services behind a load balancer or VPN, or require encrypted access (HTTPS/port 443) instead of allowing global HTTP.

Secure configuration example (restrict to specific CIDR):

MySecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Web server security group
    VpcId: !Ref MyVPC
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 10.0.0.0/16

Compliant Code Examples

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 192.168.0.0/16

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "192.168.0.0/16"
          }
        ]
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}