Security group rule without description
This product is not supported for your selected
Datadog site. (
).
Id: 5e6c9c68-8a82-408e-8749-ddad78cbb9c5
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Best Practices
Learn More
Description
Security groups and their ingress/egress rules should include descriptive metadata to document their purpose and scope. Missing descriptions hinder audits and change reviews and make it easier for overly permissive or unintended rules to persist unnoticed.
In CloudFormation, the GroupDescription property on AWS::EC2::SecurityGroup must be defined. Every rule must also set a Description, either as entries in SecurityGroupIngress/SecurityGroupEgress on the security group resource or on standalone AWS::EC2::SecurityGroupIngress/AWS::EC2::SecurityGroupEgress resources. Resources or array entries missing these properties will be flagged. Use concise, intent-revealing descriptions that explain the allowed traffic and the rationale for the rule.
Secure configuration example:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Web server security group for production environment
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Description: Allow HTTPS traffic from internet
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId: !Ref BastionSG
Description: Allow SSH from bastion host for admin access
Compliant Code Examples
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
Description: TCP
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: TCP
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
{
"Resources": {
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": {
"Ref": "myVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"Description": "TCP",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"Description": "TCP"
}
]
}
},
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"Description": "TCP",
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
}
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"OutboundRule": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"DestinationSecurityGroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
}
}
},
"InboundRule": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"SourceSecurityGroupId": {
"Fn::GetAtt": [
"SourceSG",
"GroupId"
]
},
"GroupId": {
"Fn::GetAtt": [
"TargetSG",
"GroupId"
]
},
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535
}
},
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"CidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"FromPort": 80,
"ToPort": 80
}
],
"VpcId": {
"Ref": "myVPC"
}
}
}
}
}
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId
