Security group ingress with port range
This product is not supported for your selected
Datadog site. (
).
Id: 87482183-a8e7-4e42-a566-7a23ec231c16
Cloud Provider: AWS
Platform: CloudFormation
Severity: Medium
Category: Networking and Firewall
Learn More
Description
Security group ingress rules that specify a port range (FromPort does not equal ToPort) broaden the network attack surface and can unintentionally expose services that were not meant to be reachable.
In CloudFormation, AWS::EC2::SecurityGroupIngress resources must have FromPort equal to ToPort. Each entry in an AWS::EC2::SecurityGroup resource’s SecurityGroupIngress list must also have FromPort equal to ToPort. Any ingress entry where these values differ will be flagged. Resources that intentionally require ranges should include a documented justification and restrict allowed sources (for example, via CidrIp or SourceSecurityGroupId) to minimize exposure. Note that protocol-specific behavior (for example, ICMP type/code) may use these fields differently and still requires careful review.
Secure configuration examples:
MySgIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: sg-0123456789abcdef0
IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 203.0.113.4/32
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: allow-https
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 198.51.100.0/24
Compliant Code Examples
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 0
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 0
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
{
"Resources": {
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 0,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"Description": "TCP"
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"Description": "TCP",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"Description": "TCP",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"OutboundRule": {
"Properties": {
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 0
},
"Type": "AWS::EC2::SecurityGroupEgress"
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"Description": "TCP",
"FromPort": 80,
"ToPort": 87,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"Description": "TCP",
"FromPort": 80,
"ToPort": 87,
"CidrIp": "0.0.0.0/0"
}
],
"GroupDescription": "Allow http to client host"
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}
}
}
}
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 87
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 87
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
