--- title: Security groups with meta IP description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Security groups with meta IP --- # Security groups with meta IP {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-security-groups-with-meta-ip` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) ### Description{% #description %} Security groups must not allow ingress from `0.0.0.0/0` across all ports. An all-ports public rule exposes instances to the internet and enables indiscriminate port scanning and brute-force attacks. In CloudFormation, check `Resources.*.Properties.SecurityGroupIngress` entries (and standalone `AWS::EC2::SecurityGroupIngress` resources) and ensure no rule has `CidrIp: 0.0.0.0/0` with `FromPort: 0` and `ToPort: 65535`. Resources containing such an entry will be flagged. To remediate, restrict `CidrIp` to trusted IP ranges, narrow the port range to only the required ports (for example, `80` and `443`), or reference other security groups or load balancers to provide controlled access. Secure configuration example (allow only specific ports): ```yaml MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Web server security group VpcId: !Ref MyVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Resources: Ec2Instance: Type: 'AWS::EC2::Instance' Properties: SecurityGroups: - !Ref InstanceSecurityGroup KeyName: mykey ImageId: '' InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 127.0.0.1/32 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 127.0.0.1/33 ``` ```json { "Resources": { "Ec2Instance": { "Properties": { "SecurityGroups": [ "InstanceSecurityGroup" ], "KeyName": "mykey", "ImageId": "" }, "Type": "AWS::EC2::Instance" }, "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "ToPort": 80, "CidrIp": "127.0.0.1/32", "IpProtocol": "tcp", "FromPort": 80 } ], "SecurityGroupEgress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "127.0.0.1/33" } ] } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: Ec2Instance: Type: 'AWS::EC2::Instance' Properties: SecurityGroups: - !Ref InstanceSecurityGroup KeyName: mykey ImageId: '' InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 ``` ```json { "Resources": { "Ec2Instance": { "Properties": { "SecurityGroups": [ "InstanceSecurityGroup" ], "KeyName": "mykey", "ImageId": "" }, "Type": "AWS::EC2::Instance" }, "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "FromPort": 0, "ToPort": 65535, "CidrIp": "0.0.0.0/0", "IpProtocol": "tcp" } ], "SecurityGroupEgress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ] } } } } ```