For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-remote-desktop-port-open-to-internet.md. A documentation index is available at /llms.txt.

Remote Desktop port open to the internet

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-remote-desktop-port-open-to-internet

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Networking and Firewall

Learn More

Description

Opening the Remote Desktop service (TCP port 3389) to the public internet exposes Windows hosts to automated scanning and brute‑force attacks and enables unauthorized remote access that can lead to credential compromise and lateral movement. In AWS CloudFormation, inspect AWS::EC2::SecurityGroup resources’ Properties.SecurityGroupIngress entries and flag any ingress where CidrIp is 0.0.0.0/0 or CidrIpv6 is ::/0, IpProtocol is TCP (tcp, -1, or 6), and the port range includes 3389 (FromPort <= 3389 and ToPort >= 3389). Replace global access with specific trusted CIDR ranges or remove the rule. Provide remote access via a bastion host, VPN, or AWS Systems Manager Session Manager instead of exposing RDP directly.

Secure example restricting RDP to a single trusted IP:

MySecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow RDP from trusted admin network only
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 3389
        ToPort: 3389
        CidrIp: 203.0.113.4/32

Compliant Code Examples

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow rdp to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: 192.168.0.0/16

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow rdp to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 3389,
            "ToPort": 3389,
            "CidrIp": "192.168.0.0/16"
          }
        ]
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow rdp to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: 0.0.0.0/0

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow rdp to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 3389,
            "ToPort": 3389,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}