--- title: Unknown port exposed to internet description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Unknown port exposed to internet --- # Unknown port exposed to internet {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-unknown-port-exposed-to-internet` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) ### Description{% #description %} Security groups must not expose unknown TCP ports to the entire internet because unknown or unapproved ports can host undocumented services and increase the attack surface for scanning and exploitation. For `AWS::EC2::SecurityGroup` resources, this rule inspects each `SecurityGroupIngress` entry and flags entries that use `CidrIp: 0.0.0.0/0` or `CidrIpv6: ::/0` together with `FromPort`/`ToPort` values that are not present in the known TCP ports map. The check treats a missing or unrecognized `FromPort` or `ToPort` as a violation and also flags ranges where any port in `FromPort..ToPort` is unknown. To remediate, restrict the CIDR to trusted IP ranges, use explicit approved ports, or reference other security groups instead. Secure example (allow only a known public port (HTTPS) from the internet, and restrict SSH to a trusted IP range): ```yaml MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Example secure SG SecurityGroupIngress: - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 203.0.113.10/32 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Expose known ports to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 20 ToPort: 23 CidrIp: 0.0.0.0/0 ``` ```json { "Resources": { "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Expose known port to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ] } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Expose unknown port to client host VpcId: Ref: myVPC SecurityGroupIngress: - IpProtocol: tcp FromPort: 23 ToPort: 25 CidrIp: 0.0.0.0/0 ``` ```json { "Resources": { "InstanceSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Expose unknown port to client host", "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 110, "ToPort": 119, "CidrIp": "0.0.0.0/0" } ] } } } } ```