For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-groups-with-exhibited-admin-ports.md.
A documentation index is available at /llms.txt.
Security groups must not allow inbound access from the public internet (0.0.0.0/0) to high-risk service ports. Public exposure of these services increases the risk of brute-force attacks, exploitation of known vulnerabilities, and unauthorized access or lateral movement.
This rule inspects AWS::EC2::SecurityGroup resources and flags SecurityGroupIngress entries where CidrIp is 0.0.0.0/0 and either FromPort or ToPort equals one of 20, 21, 22, 23, 115, 137, 138, 139, 2049, or 3389.
To remediate, restrict CidrIp to trusted CIDR ranges, use security group references, or place access behind a bastion host or VPN. Remove or narrow rules for these ports when possible.
Note: This check evaluates IPv4 CidrIp entries only. Ensure any IPv6 (::/0) rules are likewise restricted.
Secure example restricting SSH to a trusted subnet:
MySecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:SSH access from admin networkSecurityGroupIngress:- IpProtocol:tcpFromPort:22ToPort:22CidrIp:203.0.113.0/24
Compliant Code Examples
Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroupKeyName:mykeyImageId:''InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:127.0.0.1/32SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:127.0.0.1/33
{"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"SecurityGroups":["InstanceSecurityGroup"],"KeyName":"mykey","ImageId":""}},"InstanceSecurityGroup":{"Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"127.0.0.1/32"}],"SecurityGroupEgress":[{"CidrIp":"127.0.0.1/33","IpProtocol":"tcp","FromPort":80,"ToPort":80}],"GroupDescription":"Allow http to client host"},"Type":"AWS::EC2::SecurityGroup"}}}
AWSTemplateFormatVersion:2010-09-09Resources:InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:22ToPort:22CidrIp:11.22.33.44/32
Non-Compliant Code Examples
Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroupKeyName:mykeyImageId:''InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:20ToPort:20CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0
{"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":"","SecurityGroups":["InstanceSecurityGroup"],"KeyName":"mykey"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"CidrIp":"0.0.0.0/0","IpProtocol":"tcp","FromPort":20,"ToPort":20}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"GroupDescription":"Allow http to client host"}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
