For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-groups-with-meta-ip.md.
A documentation index is available at /llms.txt.
Security groups must not allow ingress from 0.0.0.0/0 across all ports. An all-ports public rule exposes instances to the internet and enables indiscriminate port scanning and brute-force attacks.
In CloudFormation, check Resources.*.Properties.SecurityGroupIngress entries (and standalone AWS::EC2::SecurityGroupIngress resources) and ensure no rule has CidrIp: 0.0.0.0/0 with FromPort: 0 and ToPort: 65535. Resources containing such an entry will be flagged.
To remediate, restrict CidrIp to trusted IP ranges, narrow the port range to only the required ports (for example, 80 and 443), or reference other security groups or load balancers to provide controlled access.
Secure configuration example (allow only specific ports):
MySecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Web server security groupVpcId:!Ref MyVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:443ToPort:443CidrIp:0.0.0.0/0
Compliant Code Examples
Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroupKeyName:mykeyImageId:''InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:127.0.0.1/32SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:127.0.0.1/33
{"Resources":{"Ec2Instance":{"Properties":{"SecurityGroups":["InstanceSecurityGroup"],"KeyName":"mykey","ImageId":""},"Type":"AWS::EC2::Instance"},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"ToPort":80,"CidrIp":"127.0.0.1/32","IpProtocol":"tcp","FromPort":80}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"127.0.0.1/33"}]}}}}
Non-Compliant Code Examples
Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroupKeyName:mykeyImageId:''InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:0ToPort:65535CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0
{"Resources":{"Ec2Instance":{"Properties":{"SecurityGroups":["InstanceSecurityGroup"],"KeyName":"mykey","ImageId":""},"Type":"AWS::EC2::Instance"},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"FromPort":0,"ToPort":65535,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}]}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
