For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-security-group-rules-without-description.md.
A documentation index is available at /llms.txt.
All rules within an AWS security group should have descriptive text provided for each rule. Including a description for both ingress and egress rules makes it easier to understand the purpose and intent behind each rule, improving the maintainability and auditability of your security configurations. Without descriptive annotations, security teams may struggle to identify the rationale for specific rules, increasing the risk of misconfigurations or inadvertent exposure of resources. Leaving descriptions blank can lead to confusion, make incident response more difficult, and may undermine compliance efforts that require clear documentation of network security controls.
Compliant Code Examples
resource"aws_security_group""allow_tls"{name="allow_tls"description="Allow TLS inbound traffic"vpc_id=aws_vpc.main.idingress{description="TLS from VPC"from_port=443to_port=443protocol="tcp"cidr_blocks=[aws_vpc.main.cidr_block]ipv6_cidr_blocks=[aws_vpc.main.ipv6_cidr_block]}tags={Name="allow_tls"}}
resource"aws_security_group""negative2"{name="${var.prefix}-external-http-https"description="Allow main HTTP / HTTPS"vpc_id=local.vpc_idingress{description="Enable HTTP access for select VMs"from_port=80to_port=80protocol="tcp"cidr_blocks=["0.0.0.0/0"]}ingress{description="Enable HTTPS access for select VMs"from_port=443to_port=443protocol="tcp"cidr_blocks=["0.0.0.0/0"]}tags={Name="${var.prefix}-external-http-https"}}
resource"aws_security_group""negative3"{name="${var.prefix}-external-http-https"description="Allow main HTTP / HTTPS"vpc_id=local.vpc_idtags={Name="${var.prefix}-external-http-https"}}resource"aws_security_group_rule""negative3a"{from_port=80to_port=80protocol="tcp"cidr_blocks=["0.0.0.0/0"]security_group_id=aws_security_group.negative3.idtype="ingress"description="Enable HTTP access for select VMs"}resource"aws_security_group_rule""negative3b"{from_port=443to_port=443protocol="tcp"cidr_blocks=["0.0.0.0/0"]security_group_id=aws_security_group.negative3.idtype="ingress"description="Enable HTTPS access for select VMs"}
resource"aws_security_group""positive2"{name="${var.prefix}-external-http-https"description="Allow main HTTP / HTTPS"vpc_id=local.vpc_idingress{description="Enable HTTP access for select VMs"from_port=80to_port=80protocol="tcp"cidr_blocks=["0.0.0.0/0"]}ingress{from_port=443to_port=443protocol="tcp"cidr_blocks=["0.0.0.0/0"]}tags={Name="${var.prefix}-external-http-https"}}
resource"aws_security_group""positive3"{name="${var.prefix}-external-http-https"description="Allow main HTTP / HTTPS"vpc_id=local.vpc_idtags={Name="${var.prefix}-external-http-https"}}resource"aws_security_group_rule""positive3a"{description="Enable HTTP access for select VMs"from_port=80to_port=80cidr_blocks=["0.0.0.0/0"]protocol="tcp"security_group_id=aws_security_group.positive3.idtype="ingress"}resource"aws_security_group_rule""positive3b"{from_port=443to_port=443cidr_blocks=["0.0.0.0/0"]protocol="tcp"security_group_id=aws_security_group.positive3.idtype="ingress"}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
