For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-groups-unrestricted-access-to-rdp.md. A documentation index is available at /llms.txt.

Security group unrestricted access to RDP

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-security-groups-unrestricted-access-to-rdp

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Networking and Firewall

Learn More

Description

Allowing RDP (TCP port 3389) from the public internet (0.0.0.0/0) exposes hosts to automated scanning, brute-force attacks, and unauthorized remote access. This rule flags AWS::EC2::SecurityGroup resources whose Properties.SecurityGroupIngress entries have CidrIp: 0.0.0.0/0 and either FromPort or ToPort set to 3389.

To remediate, restrict ingress to specific trusted CIDR ranges or reference a trusted security group (using SourceSecurityGroupId), or require access via a bastion host or VPN. Any ingress entry with CidrIp: "0.0.0.0/0" for port 3389 will be reported.

Secure configuration examples:

MyRdpSg:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: RDP access restricted to corporate network
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 3389
        ToPort: 3389
        CidrIp: 203.0.113.0/24

MyRdpSg:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: RDP access via internal bastion
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 3389
        ToPort: 3389
        SourceSecurityGroupId: sg-0123456789abcdef0

Compliant Code Examples

Resources:
  Ec2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      SecurityGroups:
        - !Ref InstanceSecurityGroup
      KeyName: mykey
      ImageId: ''
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 127.0.0.1/32
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 127.0.0.1/33

{
  "Resources": {
    "Ec2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "SecurityGroups": [
          "InstanceSecurityGroup"
        ],
        "KeyName": "mykey",
        "ImageId": ""
      }
    },
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/33"
          }
        ],
        "GroupDescription": "Allow http to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "127.0.0.1/32"
          }
        ]
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  Ec2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      SecurityGroups:
        - !Ref InstanceSecurityGroup
      KeyName: mykey
      ImageId: ''
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 3389
          ToPort: 3389
          CidrIp: 0.0.0.0/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Allow http to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 3389,
            "ToPort": 3389,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    },
    "Ec2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "KeyName": "mykey",
        "ImageId": "",
        "SecurityGroups": [
          "InstanceSecurityGroup"
        ]
      }
    }
  }
}