For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-group-ingress-has-cidr-not-recommended.md.
A documentation index is available at /llms.txt.
Ingress rules that use single-address CIDRs (IPv4 /32 or IPv6 /128) are brittle. They often indicate hard-coded, single-IP access which can become stale, break when addresses are reassigned, and lead to unintended access or operational disruption.
This check inspects AWS::EC2::SecurityGroupIngress resources (Properties.CidrIp and Properties.CidrIpv6) and AWS::EC2::SecurityGroup resources’ Properties.SecurityGroupIngress[].CidrIp and CidrIpv6 entries. Any entry containing /32 (IPv4) or /128 (IPv6) will be flagged.
To remediate, avoid hard-coding single IPs by using SourceSecurityGroupId, AWS managed prefix lists, or appropriately scoped network CIDRs that reflect your trusted network. If a single-IP exception is required, document the justification and maintain a process to review and update it.
Secure configuration example (use security group reference instead of single IP):
MySecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Web server security groupVpcId:!Ref MyVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:443ToPort:443SourceSecurityGroupId:!Ref BastionSecurityGroup
{"Resources":{"InstanceSecurityGroup":{"Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"192.0.2.0/24"}],"SecurityGroupEgress":[{"ToPort":80,"CidrIp":"192.0.2.0/24","IpProtocol":"tcp","Description":"TCP","FromPort":80}],"GroupDescription":"Allow http to client host"},"Type":"AWS::EC2::SecurityGroup"},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"ToPort":0,"CidrIp":"192.0.2.0/24","DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"ToPort":0,"CidrIpv6":"2001:0DB8:1234::/48","SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0}}}}
{"Resources":{"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"ToPort":65535,"CidrIp":"192.0.2.0/24","DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":65535,"CidrIpv6":"::/128"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"SecurityGroupEgress":[{"ToPort":80,"CidrIp":"192.0.2.0/24","IpProtocol":"tcp","Description":"TCP","FromPort":80}],"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"122.24.0.0/32"}]}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
