For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-group-ingress-with-port-range.md.
A documentation index is available at /llms.txt.
Security group ingress rules that specify a port range (FromPort does not equal ToPort) broaden the network attack surface and can unintentionally expose services that were not meant to be reachable.
In CloudFormation, AWS::EC2::SecurityGroupIngress resources must have FromPort equal to ToPort. Each entry in an AWS::EC2::SecurityGroup resource’s SecurityGroupIngress list must also have FromPort equal to ToPort. Any ingress entry where these values differ will be flagged. Resources that intentionally require ranges should include a documented justification and restrict allowed sources (for example, via CidrIp or SourceSecurityGroupId) to minimize exposure. Note that protocol-specific behavior (for example, ICMP type/code) may use these fields differently and still requires careful review.
{"Resources":{"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"IpProtocol":"tcp","FromPort":0,"ToPort":0,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"Description":"TCP"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}]}},"OutboundRule":{"Properties":{"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":0},"Type":"AWS::EC2::SecurityGroupEgress"}}}
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"Description":"TCP","FromPort":80,"ToPort":87,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":87,"CidrIp":"0.0.0.0/0"}],"GroupDescription":"Allow http to client host"}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"ToPort":65535,"DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":65535,"SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]}}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
