--- title: Security group rule without description description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Security group rule without description --- # Security group rule without description {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-security-group-rule-without-description` **Provider:** AWS **Platform:** CloudFormation **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) ### Description{% #description %} Security groups and their ingress/egress rules should include descriptive metadata to document their purpose and scope. Missing descriptions hinder audits and change reviews and make it easier for overly permissive or unintended rules to persist unnoticed. In CloudFormation, the `GroupDescription` property on `AWS::EC2::SecurityGroup` must be defined. Every rule must also set a `Description`, either as entries in `SecurityGroupIngress`/`SecurityGroupEgress` on the security group resource or on standalone `AWS::EC2::SecurityGroupIngress`/`AWS::EC2::SecurityGroupEgress` resources. Resources or array entries missing these properties will be flagged. Use concise, intent-revealing descriptions that explain the allowed traffic and the rationale for the rule. Secure configuration example: ```yaml MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Web server security group for production environment VpcId: !Ref MyVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 Description: Allow HTTPS traffic from internet - IpProtocol: tcp FromPort: 22 ToPort: 22 SourceSecurityGroupId: !Ref BastionSG Description: Allow SSH from bastion host for admin access ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp Description: TCP FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp Description: TCP FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: Description: TCP IpProtocol: tcp FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: Description: TCP IpProtocol: tcp FromPort: 0 ToPort: 65535 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId ``` ```json { "Resources": { "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "Description": "TCP", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ], "SecurityGroupEgress": [ { "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0", "IpProtocol": "tcp", "Description": "TCP" } ] } }, "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "Description": "TCP", "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] } } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "Description": "TCP", "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] } } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId ``` ```json { "Resources": { "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] } } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535 } }, "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ], "SecurityGroupEgress": [ { "CidrIp": "0.0.0.0/0", "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80 } ], "VpcId": { "Ref": "myVPC" } } } } } ```