For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-group-ingress-with-all-protocols.md.
A documentation index is available at /llms.txt.
Setting IpProtocol to -1 allows all protocols and all ports. This greatly increases attack surface and can expose services or enable lateral movement if an ingress rule is too permissive.
Check AWS::EC2::SecurityGroupIngress resources and AWS::EC2::SecurityGroup resources’ SecurityGroupIngress entries. IpProtocol must not be set to -1. Resources with IpProtocol: -1 will be flagged. Specify explicit protocols (for example, tcp, udp, or icmp, or their numeric protocol values) and define FromPort/ToPort where applicable. If broader access is required, restrict the source to a specific CIDR or use a referenced security group.
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}],"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"}}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"IpProtocol":"tcp","FromPort":0,"ToPort":65535,"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]}}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"ToPort":65535,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"IpProtocol":"tcp","FromPort":0}}}}
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":-1,"FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}],"GroupDescription":"Allow http to client host"}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"ToPort":65535,"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"IpProtocol":"tcp","FromPort":0}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"IpProtocol":-1,"FromPort":0,"ToPort":65535,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]}}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
