For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-group-egress-with-all-protocols.md.
A documentation index is available at /llms.txt.
Egress rules that allow all protocols (IpProtocol: -1) permit unrestricted outbound traffic. This increases the risk of data exfiltration and enables command-and-control traffic or lateral movement.
For AWS::EC2::SecurityGroupEgress resources and entries in AWS::EC2::SecurityGroup > Properties.SecurityGroupEgress, IpProtocol must not be set to -1. Specify explicit protocols such as tcp, udp, or icmp. Resources with IpProtocol: -1 will be flagged. Instead, define explicit IpProtocol values and corresponding FromPort/ToPort for TCP/UDP, and restrict destination CIDRs or target security groups to the minimum required.
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}]}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"IpProtocol":"tcp","FromPort":0,"ToPort":65535,"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]}}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"IpProtocol":"tcp","FromPort":0,"ToPort":65535}}}}
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"CidrIp":"0.0.0.0/0","IpProtocol":-1,"FromPort":80,"ToPort":80}],"SecurityGroupEgress":[{"CidrIp":"0.0.0.0/0","IpProtocol":-1,"FromPort":80,"ToPort":80}]}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"IpProtocol":-1,"FromPort":0,"ToPort":65535}},"InboundRule":{"Properties":{"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"IpProtocol":-1,"FromPort":0,"ToPort":65535,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]}},"Type":"AWS::EC2::SecurityGroupIngress"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
