For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-groups-with-unrestricted-access-to-ssh.md.
A documentation index is available at /llms.txt.
Allowing SSH (TCP port 22) from the public internet (0.0.0.0/0) exposes instances to brute-force attacks, credential theft, lateral movement, and unauthorized access. In CloudFormation AWS::EC2::SecurityGroup resources, any Properties.SecurityGroupIngress entry with CidrIp: 0.0.0.0/0 and FromPort or ToPort equal to 22 will be flagged.
To remediate, restrict SSH ingress to specific trusted IP ranges, use a bastion/jump host, or adopt AWS Systems Manager Session Manager instead of opening port 22. Resources containing the insecure ingress entry will be reported.
Secure configuration example (restrict SSH to a single IP):
MySecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow SSH from admin IP onlySecurityGroupIngress:- IpProtocol:tcpFromPort:22ToPort:22CidrIp:203.0.113.4/32
Note: this rule specifically matches ingress entries where FromPort == 22 or ToPort == 22; port ranges that include 22 but do not have 22 as an endpoint may not be detected by this check.
Compliant Code Examples
Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroupKeyName:mykeyImageId:''InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:127.0.0.1/32SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:127.0.0.1/33
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"FromPort":80,"ToPort":80,"CidrIp":"127.0.0.1/32","IpProtocol":"tcp"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"127.0.0.1/33"}]}},"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"SecurityGroups":["InstanceSecurityGroup"],"KeyName":"mykey","ImageId":""}}}}
Non-Compliant Code Examples
Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroupKeyName:mykeyImageId:''InstanceSecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow http to client hostVpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:22ToPort:22CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:80ToPort:80CidrIp:0.0.0.0/0
{"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":"","SecurityGroups":["InstanceSecurityGroup"],"KeyName":"mykey"}},"InstanceSecurityGroup":{"Properties":{"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"ToPort":22,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp","FromPort":22}]},"Type":"AWS::EC2::SecurityGroup"}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
