For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-unknown-port-exposed-to-internet.md. A documentation index is available at /llms.txt.

Unknown port exposed to internet

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-unknown-port-exposed-to-internet

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Networking and Firewall

Learn More

Description

Security groups must not expose unknown TCP ports to the entire internet because unknown or unapproved ports can host undocumented services and increase the attack surface for scanning and exploitation.

For AWS::EC2::SecurityGroup resources, this rule inspects each SecurityGroupIngress entry and flags entries that use CidrIp: 0.0.0.0/0 or CidrIpv6: ::/0 together with FromPort/ToPort values that are not present in the known TCP ports map. The check treats a missing or unrecognized FromPort or ToPort as a violation and also flags ranges where any port in FromPort..ToPort is unknown.

To remediate, restrict the CIDR to trusted IP ranges, use explicit approved ports, or reference other security groups instead.

Secure example (allow only a known public port (HTTPS) from the internet, and restrict SSH to a trusted IP range):

MySecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Example secure SG
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: 203.0.113.10/32

Compliant Code Examples

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Expose known ports to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 20
          ToPort: 23
          CidrIp: 0.0.0.0/0

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Expose known port to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}

Non-Compliant Code Examples

Resources:
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Expose unknown port to client host
        VpcId:
          Ref: myVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 23
          ToPort: 25
          CidrIp: 0.0.0.0/0

{
  "Resources": {
    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Expose unknown port to client host",
        "VpcId": {
          "Ref": "myVPC"
        },
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 110,
            "ToPort": 119,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}