For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-security-groups-without-vpc-attached.md.
A documentation index is available at /llms.txt.
Security groups must be associated with a specific VPC to ensure network isolation and to allow enforcement of VPC-level controls. A security group without a VpcId may end up outside the intended VPC (or require EC2-Classic), which prevents proper subnet scoping, VPC flow logging, and other VPC security controls and can lead to unintended exposure.
For AWS::EC2::SecurityGroup resources, Properties.VpcId must be defined (for example, !Ref MyVPC or an explicit VPC ID). This rule flags security groups where Properties.VpcId is undefined and the group is not the default group (GroupName != "default").
Parameters:KeyName:Description:The EC2 Key Pair to allow SSH access to the instanceType:'AWS::EC2::KeyPair::KeyName'Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroup- MyExistingSecurityGroupKeyName:!Ref KeyNameImageId:ami-7a11e213InstanceSecurityGroup:Type:'AWS::EC2::SecurityGroup'Properties:GroupName:My Group NameGroupDescription:Enable SSH access via port 22VpcId:Ref:myVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0
{"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"SecurityGroups":["InstanceSecurityGroup","MyExistingSecurityGroup"],"KeyName":"KeyName","ImageId":"ami-7a11e213"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":"22","ToPort":"22","CidrIp":"0.0.0.0/0"}],"GroupName":"My Group Name","GroupDescription":"Enable SSH access via port 22","VpcId":{"Ref":"myVPC"}}}},"Parameters":{"KeyName":{"Description":"The EC2 Key Pair to allow SSH access to the instance","Type":"AWS::EC2::KeyPair::KeyName"}}}
Non-Compliant Code Examples
Parameters:KeyName:Description:The EC2 Key Pair to allow SSH access to the instanceType:'AWS::EC2::KeyPair::KeyName'Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroup- MyExistingSecurityGroupKeyName:!Ref KeyNameImageId:ami-7a11e213InstanceSecurityGroup:Type:'AWS::EC2::SecurityGroup'Properties:GroupName:My Group NameGroupDescription:Enable SSH access via port 22SecurityGroupIngress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0
{"Parameters":{"KeyName":{"Description":"The EC2 Key Pair to allow SSH access to the instance","Type":"AWS::EC2::KeyPair::KeyName"}},"Resources":{"Ec2Instance":{"Properties":{"SecurityGroups":["InstanceSecurityGroup","MyExistingSecurityGroup"],"KeyName":"KeyName","ImageId":"ami-7a11e213"},"Type":"AWS::EC2::Instance"},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupName":"My Group Name","GroupDescription":"Enable SSH access via port 22","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":"22","ToPort":"22","CidrIp":"0.0.0.0/0"}]}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
