For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation/aws/security_groups_allows_unrestricted_outbound_traffic.md.
A documentation index is available at /llms.txt.
Security groups must not allow unrestricted outbound traffic by combining IpProtocol: "ALL" with CidrIp: "0.0.0.0/0". This permits any protocol to any internet destination and can enable data exfiltration, malware callbacks, and make detection or containment harder.
In CloudFormation, check AWS::EC2::SecurityGroup resources and flag any SecurityGroupEgress entry where IpProtocol is ALL and CidrIp is 0.0.0.0/0. Entries that include IpProtocol: "ALL" together with CidrIp: "0.0.0.0/0" will be flagged. Instead, define explicit protocols and ports and restrict destination CIDR blocks to the minimum required. If broad internet egress is needed, prefer specific ports (for example, TCP/443) or centralize outbound access through NAT gateways, proxies, or VPC endpoints.
Secure configuration example with explicit ports and restricted destinations:
Parameters:KeyName:Description:The EC2 Key Pair to allow SSH access to the instanceType:'AWS::EC2::KeyPair::KeyName'Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroup- MyExistingSecurityGroupKeyName:!Ref KeyNameImageId:ami-7a11e213InstanceSecurityGroup:Type:'AWS::EC2::SecurityGroup'Properties:GroupDescription:Enable SSH access via port 22SecurityGroupIngress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0
{"Parameters":{"KeyName":{"Description":"The EC2 Key Pair to allow SSH access to the instance","Type":"AWS::EC2::KeyPair::KeyName"}},"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"SecurityGroups":["InstanceSecurityGroup","MyExistingSecurityGroup"],"KeyName":"KeyName","ImageId":"ami-7a11e213"}},"InstanceSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Enable SSH access via port 22","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":"22","ToPort":"22","CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"CidrIp":"0.0.0.0/0","IpProtocol":"tcp","FromPort":"22","ToPort":"22"}]}}}}
Non-Compliant Code Examples
{"Parameters":{"KeyName":{"Description":"The EC2 Key Pair to allow SSH access to the instance","Type":"AWS::EC2::KeyPair::KeyName"}},"Resources":{"Ec2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":"ami-7a11e213","SecurityGroups":["InstanceSecurityGroup","MyExistingSecurityGroup"],"KeyName":"KeyName"}},"InstanceSecurityGroup":{"Properties":{"SecurityGroupIngress":[{"CidrIp":"0.0.0.0/0","IpProtocol":"tcp","FromPort":"22","ToPort":"22"}],"SecurityGroupEgress":[{"IpProtocol":"ALL","FromPort":"22","ToPort":"22","CidrIp":"0.0.0.0/0"}],"GroupDescription":"Enable SSH access via port 22"},"Type":"AWS::EC2::SecurityGroup"}}}
Parameters:KeyName:Description:The EC2 Key Pair to allow SSH access to the instanceType:'AWS::EC2::KeyPair::KeyName'Resources:Ec2Instance:Type:'AWS::EC2::Instance'Properties:SecurityGroups:- !Ref InstanceSecurityGroup- MyExistingSecurityGroupKeyName:!Ref KeyNameImageId:ami-7a11e213InstanceSecurityGroup:Type:'AWS::EC2::SecurityGroup'Properties:GroupDescription:Enable SSH access via port 22SecurityGroupIngress:- IpProtocol:tcpFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:ALLFromPort:'22'ToPort:'22'CidrIp:0.0.0.0/0
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
