For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-group-egress-with-port-range.md.
A documentation index is available at /llms.txt.
Egress rules should restrict outbound traffic to a single explicit port to enforce least privilege. Allowing port ranges expands the attack surface and can enable unintended outbound connections, lateral movement, or data exfiltration.
In CloudFormation, AWS::EC2::SecurityGroupEgress resources must have Properties.FromPort and Properties.ToPort defined and set to the same value. For AWS::EC2::SecurityGroup resources, each entry in Properties.SecurityGroupEgress must have FromPort equal to ToPort. Resources missing these properties, or where FromPort does not equal ToPort, will be flagged. Set both properties to the same explicit port number (for example, 443) instead of using a range.
{"Resources":{"InstanceSecurityGroup":{"Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp","Description":"TCP"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"GroupDescription":"Allow http to client host"},"Type":"AWS::EC2::SecurityGroup"},"OutboundRule":{"Properties":{"IpProtocol":"tcp","FromPort":0,"ToPort":0,"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP"},"Type":"AWS::EC2::SecurityGroupEgress"},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":0,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]}}}}}
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"Description":"TCP","FromPort":80,"ToPort":87,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}],"SecurityGroupEgress":[{"Description":"TCP","FromPort":80,"ToPort":87,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}]}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"IpProtocol":"tcp","FromPort":0,"ToPort":65535,"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP"}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":65535,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]}}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
