For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-unrestricted-security-group-ingress.md.
A documentation index is available at /llms.txt.
Security groups must not allow ingress from the entire internet (0.0.0.0/0 or ::/0) because such wide-open rules expose instances and services to unauthorized access, brute-force attempts, and remote exploitation.
This rule checks AWS::EC2::SecurityGroupIngress resources (Properties.CidrIp / Properties.CidrIpv6) and AWS::EC2::SecurityGroup resources’ Properties.SecurityGroupIngress entries. CidrIp must not be 0.0.0.0/0 and CidrIpv6 must not be ::/0. Resources with those values will be flagged.
To remediate, restrict access to specific trusted CIDR ranges, use VPC-only ranges, prefix lists, or reference other security groups via SourceSecurityGroupId/SourceSecurityGroupOwnerId.
{"Resources":{"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"SecurityGroupEgress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"192.0.2.0/24"}],"GroupDescription":"Allow http to client host","VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"192.0.2.0/24"}]}},"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":0,"CidrIp":"192.0.2.0/24","DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]}}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":0,"CidrIpv6":"2001:0DB8:1234::/48","SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]}}}}}
{"Resources":{"OutboundRule":{"Type":"AWS::EC2::SecurityGroupEgress","Properties":{"Description":"TCP","IpProtocol":"tcp","FromPort":0,"ToPort":65535,"CidrIp":"0.0.0.0/0","DestinationSecurityGroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"GroupId":{"Fn::GetAtt":["SourceSG","GroupId"]}}},"InboundRule":{"Type":"AWS::EC2::SecurityGroupIngress","Properties":{"FromPort":0,"ToPort":65535,"CidrIpv6":"::/0","SourceSecurityGroupId":{"Fn::GetAtt":["SourceSG","GroupId"]},"GroupId":{"Fn::GetAtt":["TargetSG","GroupId"]},"Description":"TCP","IpProtocol":"tcp"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"VpcId":{"Ref":"myVPC"},"SecurityGroupIngress":[{"ToPort":80,"CidrIp":"0.0.0.0/0","IpProtocol":"tcp","Description":"TCP","FromPort":80}],"SecurityGroupEgress":[{"IpProtocol":"tcp","Description":"TCP","FromPort":80,"ToPort":80,"CidrIp":"0.0.0.0/0"}],"GroupDescription":"Allow http to client host"}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
